refactor: Network Services rebuilt, DHCP decommissioned, infra cleanup

Network Services page is rebuilt around real API data: GET /api/dns/overview
returns provider-aware records; per-service Cloudflare sync is exposed via
POST /api/ddns/sync; effective domain is displayed so operators can verify
what external name resolves to the cell; NTP status reflects the actual
systemd-timesyncd state rather than a hardcoded boolean.

DHCP is fully decommissioned: the cell-dhcp container is removed from
docker-compose.yml, DHCP methods are stripped from network_manager, the
setup_cell script no longer seeds DHCP config, and the Settings DHCP field
is gone. DHCP was never a PIC responsibility and the container was consuming
resources for no benefit.

Dead code removed: api/config.py (superseded by config_manager), the
standalone Email/Calendar/Files pages (these are now optional store services
and do not need dedicated pages). api/constants.py is introduced to hold
RESERVED_SUBDOMAINS in one place rather than scattered literals.

Docker resource limits (mem_limit, cpus, pids_limit) are added to all
compose services so a runaway process cannot starve the host.

Makefile gains a warning before the backup target so operators are not
surprised by the archive path. Settings same/accept state fix ensures
the Cell Identity section correctly shows the accept/discard banner and
does not flash a false-positive change indicator on first load.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

api/constants.py

@@ -0,0 +1,13 @@
+"""
+constants — shared project-wide constants.
+
+Single source of truth for values that multiple managers must agree on.
+"""
+
+# Core PIC infrastructure subdomains — never allow store services to hijack these.
+# 'mail', 'calendar', 'files', 'webdav', 'webmail' are intentionally absent:
+# they belong to official PIC store services and must be claimable by them.
+RESERVED_SUBDOMAINS = frozenset({
+    'api', 'webui', 'admin', 'www', 'ns1', 'ns2',
+    'git', 'registry', 'install',
+})