feat(sentinèlla): p2p topology with DNS peer discovery

- Replace central sentinel with watcher: each node polls peers discovered
  via a single DNS name with multiple A records (e.g. peers.sentinella.com)
- Auto-detect own IPs via hostname -I; SELF env var available as optional
  override for NAT/floating-IP setups
- Fix Basic Auth bug in router.sh: compare tok against AUTH_TOKENS instead
  of unset $USER/$PASS
- Rename sentinel binary to watcher; drop unused shellplot dep
- Add inetutils to watcher runtime deps for hostname -I
- Update NixOS module: replace sentinel options with watcher p2p options
  (peersDns, self, peersPort, peersScheme, pollingIntervalSec)
- Add sentinèlla test suite: probe-status-empty, probe-disk, watcher-state-file

nixos/system/hectic-lab/hectic-lab.nix

@@ -100,11 +100,12 @@ in {
     ];
   };
 
-  sops.secrets."mailserver/security/hashedPassword"  = {};
-  sops.secrets."mailserver/yukkop/hashedPassword"    = {};
-  sops.secrets."mailserver/snuff/hashedPassword"     = {};
-  sops.secrets."mailserver/antoshka/hashedPassword"  = {};
-  sops.secrets."mailserver/founders/hashedPassword"  = {};
+  sops.secrets."mailserver/security/hashedPassword"     = {};
+  sops.secrets."mailserver/yukkop/hashedPassword"       = {};
+  sops.secrets."mailserver/daniil-pelyk/hashedPassword" = {};
+  sops.secrets."mailserver/snuff/hashedPassword"        = {};
+  sops.secrets."mailserver/antoshka/hashedPassword"     = {};
+  sops.secrets."mailserver/founders/hashedPassword"     = {};
 
   services.mailserver = {
     enable = true;
@@ -119,6 +120,9 @@ in {
       "yukkop" = {
         hashedPasswordFile = config.sops.secrets."mailserver/yukkop/hashedPassword".path;
       };
+      "daniil-pelyk" = {
+        hashedPasswordFile = config.sops.secrets."mailserver/daniil-pelyk/hashedPassword".path;
+      };
       "snuff" = {
         hashedPasswordFile = config.sops.secrets."mailserver/snuff/hashedPassword".path;
       };