Add multi-provider DNS registry for ACME DNS-01 challenges

Replace hardcoded Cloudflare DNS-01 with a data-driven provider registry
supporting 11 providers (Cloudflare, Route 53, DigitalOcean, Duck DNS,
Hetzner, Vultr, Porkbun, GoDaddy, Namecheap, OVH, Linode). Users can
configure multiple providers with encrypted credentials and select a
default. Per-certificate provider override is supported via providerOptions.

- Add src/lib/dns-providers.ts with provider definitions, credential
  encrypt/decrypt, and Caddy config builder
- Change DnsProviderSettings to multi-provider format with default selection
- Auto-migrate legacy Cloudflare settings on startup (db.ts)
- Normalize old single-provider format on read (getDnsProviderSettings)
- Refactor buildTlsAutomation() to use provider registry
- Add GET /api/v1/dns-providers endpoint for provider discovery
- Add dns-provider settings group to REST API and instance sync
- Replace Cloudflare settings card with multi-provider UI (add/remove
  providers, set default, dynamic credential forms)
- Add 10 DNS provider modules to Caddy Dockerfile
- Update OpenAPI spec, E2E tests, and unit test mocks

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/api/v1/openapi.json/route.ts

@@ -784,6 +784,7 @@ const spec = {
               enum: [
                 "general",
                 "cloudflare",
+                "dns-provider",
                 "authentik",
                 "metrics",
                 "logging",
@@ -807,6 +808,7 @@ const spec = {
                   oneOf: [
                     { $ref: "#/components/schemas/GeneralSettings" },
                     { $ref: "#/components/schemas/CloudflareSettings" },
+                    { $ref: "#/components/schemas/DnsProviderSettings" },
                     { $ref: "#/components/schemas/AuthentikSettings" },
                     { $ref: "#/components/schemas/MetricsSettings" },
                     { $ref: "#/components/schemas/LoggingSettings" },
@@ -836,6 +838,7 @@ const spec = {
               enum: [
                 "general",
                 "cloudflare",
+                "dns-provider",
                 "authentik",
                 "metrics",
                 "logging",
@@ -1864,6 +1867,27 @@ const spec = {
         },
         required: ["apiToken"],
       },
+      DnsProviderSettings: {
+        type: "object",
+        description: "DNS provider configuration for ACME DNS-01 challenges. Supports multiple configured providers with a default.",
+        properties: {
+          providers: {
+            type: "object",
+            additionalProperties: {
+              type: "object",
+              additionalProperties: { type: "string" },
+              description: "Credential key-value pairs for this provider",
+            },
+            description: "Configured providers keyed by name (e.g. { cloudflare: { api_token: '...' }, route53: { ... } })",
+          },
+          default: {
+            type: "string",
+            nullable: true,
+            description: "Name of the default provider used for DNS-01 challenges (null = HTTP-01 only)",
+          },
+        },
+        required: ["providers", "default"],
+      },
       AuthentikSettings: {
         type: "object",
         properties: {