site-config: dedupe cross-host values, fix stale dark-reader urls, drop desktop 1g hugepages

new site-config.nix holds values previously duplicated across hosts:
  domain, old_domain, contact_email, timezone, binary_cache (url + pubkey),
  dns_servers, lan (cidr + gateway), hosts.{muffin,yarn} (ip/alias/ssh_host_key),
  ssh_keys.{laptop,desktop,ci_deploy}.

threaded through specialArgs on all three hosts + home-manager extraSpecialArgs +
homeConfigurations.primary + serverLib. service-configs.nix now takes
{ site_config } as a function arg and drops its https namespace; per-service
domains (gitea/matrix/ntfy/mollysocket/livekit/firefox-sync/grafana) are
derived from site_config.domain. ~15 service files and 6 vm tests migrated.

breakage fixes rolled in:
 - home/progs/zen/dark-reader.nix: 5 stale *.gardling.com entries in
   disabledFor rewritten to *.sigkill.computer (caddy 301s the old names so
   these never fired and the new sigkill urls were getting dark-reader applied)
 - modules/desktop-common.nix: drop unused hugepagesz=1G/hugepages=3
   kernelParams (no consumer on mreow or yarn; xmrig on muffin still reserves
   its own via services/monero/xmrig.nix)

verification: muffin toplevel is bit-identical to pre-refactor baseline.
mreow/yarn toplevels differ only in boot.json kernelParams + darkreader
storage.js (nix-diff verified). deployGuardTest and fail2banVaultwardenTest
(latter exercises site_config.domain via bitwarden.nix) pass.

services/matrix/coturn.nix

@@ -1,13 +1,14 @@
 {
   config,
   lib,
+  site_config,
   service_configs,
   ...
 }:
 {
   services.coturn = {
     enable = true;
-    realm = service_configs.https.domain;
+    realm = site_config.domain;
     use-auth-secret = true;
     static-auth-secret-file = config.age.secrets.coturn-auth-secret.path;
     listening-port = service_configs.ports.public.coturn.port;

services/matrix/matrix.nix

@@ -1,5 +1,6 @@
 {
   config,
+  site_config,
   service_configs,
   lib,
   ...
@@ -23,7 +24,7 @@
 
     settings.global = {
       port = [ service_configs.ports.private.matrix.port ];
-      server_name = service_configs.https.domain;
+      server_name = site_config.domain;
       allow_registration = true;
       registration_token_file = config.age.secrets.matrix-reg-token.path;
 
@@ -43,14 +44,14 @@
       # TURN server config (coturn)
       turn_secret_file = config.age.secrets.matrix-turn-secret.path;
       turn_uris = [
-        "turn:${service_configs.https.domain}?transport=udp"
-        "turn:${service_configs.https.domain}?transport=tcp"
+        "turn:${site_config.domain}?transport=udp"
+        "turn:${site_config.domain}?transport=tcp"
       ];
       turn_ttl = 86400;
     };
   };
 
-  services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore ''
+  services.caddy.virtualHosts.${site_config.domain}.extraConfig = lib.mkBefore ''
     header /.well-known/matrix/* Content-Type application/json
     header /.well-known/matrix/* Access-Control-Allow-Origin *
     respond /.well-known/matrix/server `{"m.server": "${service_configs.matrix.domain}:${builtins.toString service_configs.ports.public.https.port}"}`