feat: use ${SUBDOMAIN} variable in all templates

All 51 docker-compose.yml: replaced hardcoded subdomain.${DOMAIN}
with ${SUBDOMAIN}.${DOMAIN} in Traefik labels, app env vars, and
comments.

All 51 .felhom.yml: added SUBDOMAIN deploy field (type: subdomain)
with default matching existing subdomain metadata value.

Works with felhom-controller v0.27.0 which validates and stores the
user-chosen subdomain in app.yaml. Existing deployed apps get
SUBDOMAIN auto-injected via InjectMissingFields() on next sync.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

templates/vaultwarden/docker-compose.yml

@@ -1,5 +1,5 @@
 # Vaultwarden - Password Manager (Bitwarden-compatible)
-# Domain: vault.${DOMAIN}
+# Domain: ${SUBDOMAIN}.${DOMAIN}
 # Database: None (SQLite, built-in)
 # RAM: ~50MB (mem_limit: 256M) | Pi-compatible: Yes
 #
@@ -9,13 +9,13 @@
 #   SIGNUPS_ALLOWED   - Set to "false" after creating your account(s)
 #
 # First-time setup:
-#   1. Visit https://vault.${DOMAIN} and create an account
+#   1. Visit https://${SUBDOMAIN}.${DOMAIN} and create an account
 #   2. Set SIGNUPS_ALLOWED=false via the controller
-#   3. Admin panel at https://vault.${DOMAIN}/admin (if ADMIN_TOKEN set)
+#   3. Admin panel at https://${SUBDOMAIN}.${DOMAIN}/admin (if ADMIN_TOKEN set)
 #
 # Clients:
 #   Use any Bitwarden client (desktop, mobile, browser extension)
-#   Set server URL to: https://vault.${DOMAIN}
+#   Set server URL to: https://${SUBDOMAIN}.${DOMAIN}
 
 services:
   vaultwarden:
@@ -23,7 +23,7 @@ services:
     container_name: vaultwarden
     restart: unless-stopped
     environment:
-      - DOMAIN=https://vault.${DOMAIN}
+      - DOMAIN=https://${SUBDOMAIN}.${DOMAIN}
       - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-true}
       - ADMIN_TOKEN=${ADMIN_TOKEN:-}
       - WEBSOCKET_ENABLED=true
@@ -44,7 +44,7 @@ services:
       start_period: 10s
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.vaultwarden.rule=Host(`vault.${DOMAIN}`)"
+      - "traefik.http.routers.vaultwarden.rule=Host(`${SUBDOMAIN}.${DOMAIN}`)"
       - "traefik.http.routers.vaultwarden.entrypoints=websecure"
       - "traefik.http.routers.vaultwarden.tls=true"
       - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"