srv_prepare: bump conntrack + SYN backlog for VPN workload

[findias]

Why

Default Ubuntu ships nf_conntrack_max=8192 — adequate for a desktop, dangerously small for a VPN aggregation point. EU production was silently dropping packets:

$ dmesg | grep nf_conntrack
nf_conntrack: table full, dropping packet  (×many, recent)

$ cat /proc/net/stat/nf_conntrack | awk 'NR==2 {print "drops:" $11 " inserts_failed:" $9}'
drops: 55667    inserts_failed: 29371

Compounds with tcp_timeout_established=432000 (5 days), which holds VPN slots even after clients disconnect.

Symptom: TLS handshakes from any source IP not already warm in the conntrack table fail intermittently. Discovered while bringing vm_my_ru2 online — new source IP, no warm entries, handshakes broke.

Fix

Adds four entries to srv_prepare_bbr_settings (the dict the role already loops through):

net.netfilter.nf_conntrack_max: 131072
net.netfilter.nf_conntrack_buckets: 131072
net.netfilter.nf_conntrack_tcp_timeout_established: 3600
net.ipv4.tcp_max_syn_backlog: 4096

Memory cost: ~50 MB on a 1vCPU/1GB box. Acceptable.

Status

• Live patched on vm_my_srv via sysctl -w and /etc/sysctl.d/99-vpn-tuning.conf already (no waiting on this PR for relief).
• This PR is the codification — every future srv_prepare apply will write the same values into /etc/sysctl.conf, so a fresh box gets them too.
• All hosts in groups['cloud'] and groups['ru'] will receive the new values on next role apply.

Test plan

• YAML validates (python3 -c "yaml.safe_load(open(..))")
• dmesg no new conntrack-table-full entries since live patch (~30 min ago).
• Reviewer note: this does NOT close the separate "TLS handshake from vm_my_ru2 fails on 3/4 v2 Reality SNIs" issue. That bug has a different root cause — TCP-level connectivity is 100%, conntrack pressure is gone, but the handshake still stalls at TLS layer. Tracked separately; needs tcpdump investigation on EU :443.

Closes a latent capacity bug that would have hit any rapidly-growing user base with or without multi-RU.