services: add jellyfin, archivebox, custom dns

- `internal.thegeneralist01.com` and `archive.thegeneralist01.com` are
  not public. I have Split DNS enabled on them (in Tailscale), with the
  IP of the DNS server set to a private Tailscale IP of my home server;
- CoreDNS (also on my home server) is used to resolve the two private
  domains' IPs to the home server itself;
- nginx only listens to its machine's (home server's) Tailscale IP;
- Therefore, all of it is hermetic!

hosts/thegeneralist-central/dns.nix

@@ -0,0 +1,58 @@
+{ pkgs, ... }:
+let
+  internalZoneFile = pkgs.writeText "internal.zone" ''
+    $ORIGIN internal.thegeneralist01.com.
+    @   IN SOA  ns.internal.thegeneralist01.com. thegeneralist01.proton.me. (
+          2025071801 ; serial (yyyymmddXX)
+          3600       ; refresh
+          600        ; retry
+          86400      ; expire
+          3600       ; minimum
+    )
+        IN NS   ns.internal.thegeneralist01.com.
+    ns  IN A    100.86.129.23
+    @   IN A    100.86.129.23
+  '';
+
+  archiveZoneFile = pkgs.writeText "archive.zone" ''
+    $ORIGIN archive.thegeneralist01.com.
+    @   IN SOA  ns.archive.thegeneralist01.com. thegeneralist01.proton.me. (
+          2025073101 ; serial (yyyymmddXX)
+          3600       ; refresh
+          600        ; retry
+          86400      ; expire
+          3600       ; minimum
+    )
+        IN NS   ns.archive.thegeneralist01.com.
+    ns  IN A    100.86.129.23
+    @   IN A    100.86.129.23
+  '';
+in
+{
+  services.coredns = {
+    enable = true;
+    config = ''
+      internal.thegeneralist01.com:53 {
+        file ${internalZoneFile}
+        log
+        errors
+      }
+
+      archive.thegeneralist01.com:53 {
+        file ${archiveZoneFile}
+        log
+        errors
+      }
+
+      .:53 {
+        forward . 100.100.100.100 45.90.28.181 45.90.30.181
+        cache
+        log
+        errors
+      }
+    '';
+  };
+
+  networking.firewall.allowedUDPPorts = [ 53 ];
+  networking.firewall.allowedTCPPorts = [ 53 ];
+}