fix: use environmentFile for ACME Cloudflare credentials
credentialFiles enforces _FILE suffix but lego reads CF_DNS_API_TOKEN
directly from the environment. Switch to environmentFile with a
dotenv-format secret containing CLOUDFLARE_DNS_API_TOKEN=<token>.