feat: wildcard TLS certificate *.csrx.ru via Cloudflare DNS-01

Add tls.stores.default.defaultGeneratedCert in dynamic config:
- Traefik requests one *.csrx.ru + csrx.ru SAN cert via DNS-01
- All existing and future subdomains use this single cert
- No per-service cert issuance wait when adding new services
- Cert auto-renewed by Traefik ~30 days before expiry

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/services/templates/traefik/dynamic/routes.yml.j2

@@ -1,6 +1,19 @@
 # Traefik dynamic routing config — generated by Ansible
 # Do not edit manually; re-run ansible-playbook deploy.yml
 
+# ── Wildcard TLS certificate via Cloudflare DNS-01 ────────────────────────────
+# One cert covers ALL *.csrx.ru subdomains + root csrx.ru.
+# Adding a new service = zero cert wait time, Traefik reuses this cert.
+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: letsencrypt
+        domain:
+          main: "*.{{ domain_base }}"
+          sans:
+            - "{{ domain_base }}"
+
 http:
   routers:
     traefik-dashboard: