add: Internal DNS for kavcorp.com domains via Pi-hole

- Added *.kavcorp.com DNS entries pointing to Traefik (10.4.2.10)
- Internal clients can use https://jellyfin.kavcorp.com with valid certs
- Same URLs work internally and externally, no port numbers needed
- Also added Traefik internal entrypoint on :8080 for .kav HTTP access

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/DECISIONS.md

@@ -55,12 +55,13 @@
 - `.local` - Conflicts with mDNS/Bonjour
 - `.home.arpa` - RFC 8375 compliant but verbose
 
-**Usage**: Services accessible via `http://<service>.kav:8080/` (routed through Traefik)
+**Usage**:
+- **HTTPS (recommended)**: `https://<service>.kavcorp.com` - valid Let's Encrypt certs, works internally and externally
+- **HTTP (optional)**: `http://<service>.kav:8080/` - internal only, no certs needed
 
-**Internal Routing via Traefik**:
-- Pi-hole resolves `.kav` domains to Traefik (10.4.2.10)
-- Traefik `internal` entrypoint on port 8080 routes to backend services
-- No port numbers needed per-service, just use `:8080` for all
+**Internal DNS Configuration**:
+- Pi-hole resolves `*.kavcorp.com` to Traefik (10.4.2.10) for internal HTTPS access
+- Pi-hole resolves `.kav` domains to Traefik for HTTP:8080 access
 - Direct access (no Traefik): pm1-4.kav, elantris.kav, kavnas.kav, docker hosts, mqtt.kav, zwave.kav
 
 ### SSH Access Policy