Detect subdomains structurally to skip wildcard entries without certs

Add CUSTOM_TLDS config (HAPROXY_CUSTOM_TLDS env, default: "it.com")
and _get_base_domain() for eTLD+1 detection. _check_subdomain now uses
three layers: registered domains, certificate domains, and structural
analysis. This ensures nocodb.inouter.com never gets a *.nocodb wildcard
entry even when inouter.com has no cert or registration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

haproxy_mcp/config.py

@@ -39,6 +39,12 @@ CERTS_DIR: str = os.getenv("HAPROXY_CERTS_DIR", "/opt/haproxy/certs")
 CERTS_DIR_CONTAINER: str = os.getenv("HAPROXY_CERTS_DIR_CONTAINER", "/etc/haproxy/certs")
 ACME_HOME: str = os.getenv("ACME_HOME", os.path.expanduser("~/.acme.sh"))
 
+# Custom multi-part TLDs (e.g., "it.com" treated as a TLD so "anvil.it.com" is a base domain)
+# Comma-separated list via env var, or default
+CUSTOM_TLDS: frozenset[str] = frozenset(
+    t.strip() for t in os.getenv("HAPROXY_CUSTOM_TLDS", "it.com").split(",") if t.strip()
+)
+
 # Pool configuration
 POOL_COUNT: int = int(os.getenv("HAPROXY_POOL_COUNT", "100"))
 MAX_SLOTS: int = int(os.getenv("HAPROXY_MAX_SLOTS", "10"))