relay1: migrate to wstunnel + WireGuard subnet relay via Headscale

Replace the OpenVPN/OCServ path with a cleaner wstunnel-terminated WireGuard relay on :443, advertise/approve corporate subnet routes through Headscale, and add wsl DNS/route plumbing for tailnet access.

flake.nix

@@ -117,7 +117,7 @@
             profiles.system = createSystemProfile self.nixosConfigurations.hel1;
           };
           relay1 = {
-            hostname = "rl.froidmont.org";
+            hostname = "rl.banditlair.com";
             profiles.system = createSystemProfile self.nixosConfigurations.relay1;
           };
         };