feat(proxy): add SSH TCP passthrough and graceful HTTP-only startup

Add optional [ssh] config block that proxies port 22 → Gitea SSH pod,
running on a dedicated thread/runtime matching the cert-watcher pattern.

Also start HTTP-only on first deploy when the TLS cert file doesn't exist
yet — once ACME challenge completes and the cert watcher writes the file,
a graceful upgrade adds the TLS listener without downtime.

Fix ACME watcher to handle InitApply events (kube-runtime v3+) so
Ingresses that existed before the proxy started are picked up correctly.

Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>

src/config.rs

@@ -2,12 +2,22 @@ use anyhow::{Context, Result};
 use serde::Deserialize;
 use std::fs;
 
+#[derive(Debug, Deserialize, Clone)]
+pub struct SshConfig {
+    /// Address to bind the SSH listener on, e.g. "0.0.0.0:22".
+    pub listen: String,
+    /// Upstream backend address, e.g. "gitea-ssh.devtools.svc.cluster.local:2222".
+    pub backend: String,
+}
+
 #[derive(Debug, Deserialize, Clone)]
 pub struct Config {
     pub listen: ListenConfig,
     pub tls: TlsFileConfig,
     pub telemetry: TelemetryConfig,
     pub routes: Vec<RouteConfig>,
+    /// Optional SSH TCP passthrough (port 22 → Gitea SSH).
+    pub ssh: Option<SshConfig>,
 }
 
 #[derive(Debug, Deserialize, Clone)]