site-config: dedupe cross-host values, fix stale dark-reader urls, drop desktop 1g hugepages

new site-config.nix holds values previously duplicated across hosts:
  domain, old_domain, contact_email, timezone, binary_cache (url + pubkey),
  dns_servers, lan (cidr + gateway), hosts.{muffin,yarn} (ip/alias/ssh_host_key),
  ssh_keys.{laptop,desktop,ci_deploy}.

threaded through specialArgs on all three hosts + home-manager extraSpecialArgs +
homeConfigurations.primary + serverLib. service-configs.nix now takes
{ site_config } as a function arg and drops its https namespace; per-service
domains (gitea/matrix/ntfy/mollysocket/livekit/firefox-sync/grafana) are
derived from site_config.domain. ~15 service files and 6 vm tests migrated.

breakage fixes rolled in:
 - home/progs/zen/dark-reader.nix: 5 stale *.gardling.com entries in
   disabledFor rewritten to *.sigkill.computer (caddy 301s the old names so
   these never fired and the new sigkill urls were getting dark-reader applied)
 - modules/desktop-common.nix: drop unused hugepagesz=1G/hugepages=3
   kernelParams (no consumer on mreow or yarn; xmrig on muffin still reserves
   its own via services/monero/xmrig.nix)

verification: muffin toplevel is bit-identical to pre-refactor baseline.
mreow/yarn toplevels differ only in boot.json kernelParams + darkreader
storage.js (nix-diff verified). deployGuardTest and fail2banVaultwardenTest
(latter exercises site_config.domain via bitwarden.nix) pass.

services/caddy/caddy.nix

@@ -1,5 +1,6 @@
 {
   config,
+  site_config,
   service_configs,
   pkgs,
   lib,
@@ -42,8 +43,8 @@ let
     '';
   };
 
-  newDomain = service_configs.https.domain;
-  oldDomain = service_configs.https.old_domain;
+  newDomain = site_config.domain;
+  oldDomain = site_config.old_domain;
 in
 {
   imports = [
@@ -54,7 +55,7 @@ in
 
   services.caddy = {
     enable = true;
-    email = "titaniumtown@proton.me";
+    email = site_config.contact_email;
 
     # Build with Njalla DNS provider for DNS-01 ACME challenges (wildcard certs)
     package = pkgs.caddy.withPlugins {
@@ -146,8 +147,9 @@ in
       # defaults: maxretry=5, findtime=10m, bantime=10m
 
       # Ignore local network IPs - NAT hairpinning causes all LAN traffic to
-      # appear from the router IP (192.168.1.1). Banning it blocks all internal access.
-      ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
+      # appear from the router IP (site_config.lan.gateway). Banning it
+      # blocks all internal access.
+      ignoreip = "127.0.0.1/8 ::1 ${site_config.lan.cidr}";
     };
     filter.Definition = {
       # Only match 401s where an Authorization header was actually sent.

services/caddy/caddy_senior_project.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  site_config,
   service_configs,
   inputs,
   ...
@@ -32,7 +33,7 @@ let
   };
 in
 {
-  services.caddy.virtualHosts."senior-project.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."senior-project.${site_config.domain}".extraConfig = ''
     root * ${hugoWebsite}
     file_server browse
   '';