fix: embed DNAT rules in wg0.conf PostUp for persistence + fix dns_ip in server config

DNAT rules applied via docker exec are lost whenever wg-easy reloads the
WireGuard interface (PostDown flushes the nat table then PostUp only
re-adds static rules). Fix: embed DNS (port 53) and service (port 80)
DNAT rules directly in wg0.conf PostUp/PostDown so they reapply on every
interface restart. ensure_postup_dnat() patches existing configs on startup.

get_server_config() now returns the WG server IP (e.g. 10.0.0.1) for
dns_ip instead of the cell-dns container IP (172.20.0.3). This makes the
value consistent with what get_peer_config() writes into the .conf file,
and fixes the stale hint text in Peers.jsx and WireGuard.jsx.

UI: fallback dns_ip changed from 172.20.0.3 to 10.0.0.1; split-tunnel
fallback drops the 172.20.0.0/16 stale range.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/app.py

@@ -305,6 +305,9 @@ def _apply_startup_enforcement():
         firewall_manager.apply_all_peer_rules(peers)
         firewall_manager.apply_all_cell_rules(cell_links)
         firewall_manager.ensure_cell_api_dnat()
+        # Embed DNAT rules in PostUp so they survive WireGuard interface restarts,
+        # then also apply them immediately for the current session.
+        wireguard_manager.ensure_postup_dnat()
         firewall_manager.ensure_dns_dnat()
         firewall_manager.ensure_service_dnat()
         # Restore any cell link WireGuard peers that were lost from wg0.conf