Add HSTS preload for wikipedia.org, refactor related regexes
At this point, all but one of our unified cert domains are "clean"
in that they have no subdomains that don't match the certs to
worry about. The odd man out is just wikimedia.org now, which
still needs a special match to only catch the exact hostnames
matching the cert.
This patch aligns the primary regexes for TLS redirects and HSTS
preload to be identical and match any hostname ending in any of
our unified-cert domains other than wikimedia.org.
wikimedia.org is moved to a separate clause for redirects, and
takes the default in the HSTS case (no preload/includesub).