chore: initial infrastructure scaffold

Kustomize base + overlays for the full Sunbeam k3s stack:
- base/mesh      — Linkerd edge (crds + control-plane + viz)
- base/ingress   — custom Pingora edge proxy
- base/ory       — Kratos 0.60.1 + Hydra 0.60.1 + login-ui
- base/data      — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2
- base/storage   — SeaweedFS master + volume + filer (S3 on :8333)
- base/lasuite   — Hive sync daemon + La Suite app placeholders
- base/media     — LiveKit livekit-server 1.9.0
- base/devtools  — Gitea 12.5.0 (external PG + Valkey)
overlays/local   — sslip.io domain, mkcert TLS, Lima hostPort
overlays/production — stub (TODOs for sunbeam.pt values)
scripts/         — local-up/down/certs/urls helpers
justfile         — up / down / certs / urls targets

base/devtools/gitea-values.yaml

@@ -0,0 +1,76 @@
+# Base Gitea Helm values (chart: gitea/gitea, v12.5.0).
+# DOMAIN_SUFFIX is replaced by overlay patches.
+# Reference: https://gitea.com/gitea/helm-gitea/src/branch/main/values.yaml
+
+# Disable bundled DB and cache — we use shared CloudNativePG + Valkey
+postgresql:
+  enabled: false
+postgresql-ha:
+  enabled: false
+valkey-cluster:
+  enabled: false
+valkey:
+  enabled: false
+
+gitea:
+  config:
+    server:
+      DOMAIN:           src.DOMAIN_SUFFIX
+      ROOT_URL:         https://src.DOMAIN_SUFFIX/
+      SSH_DOMAIN:       src.DOMAIN_SUFFIX
+      LFS_START_SERVER: "true"
+
+    database:
+      DB_TYPE: postgres
+      HOST:    postgres-rw.data.svc.cluster.local:5432
+      NAME:    gitea_db
+      USER:    gitea
+      # PASSWD injected via additionalConfigFromEnvs below
+
+    cache:
+      ADAPTER: redis
+      # Valkey is Redis protocol-compatible; Gitea's redis adapter works against Valkey
+      HOST:    redis://valkey.data.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s
+
+    session:
+      PROVIDER:        redis
+      PROVIDER_CONFIG: redis://valkey.data.svc.cluster.local:6379/1?pool_size=100&idle_timeout=180s
+
+    queue:
+      TYPE:     redis
+      CONN_STR: redis://valkey.data.svc.cluster.local:6379/2?pool_size=100&idle_timeout=180s
+
+    storage:
+      STORAGE_TYPE:   minio
+      MINIO_ENDPOINT: seaweedfs-filer.storage.svc.cluster.local:8333
+      MINIO_BUCKET:   sunbeam-git-lfs
+      MINIO_USE_SSL:  "false"
+      # MINIO_ACCESS_KEY_ID / MINIO_SECRET_ACCESS_KEY from gitea-s3-credentials Secret
+
+  additionalConfigFromEnvs:
+    - name: GITEA__DATABASE__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: gitea-db-credentials
+          key: password
+    - name: GITEA__STORAGE__MINIO_ACCESS_KEY_ID
+      valueFrom:
+        secretKeyRef:
+          name: gitea-s3-credentials
+          key: access-key
+    - name: GITEA__STORAGE__MINIO_SECRET_ACCESS_KEY
+      valueFrom:
+        secretKeyRef:
+          name: gitea-s3-credentials
+          key: secret-key
+
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    memory: 128Mi
+    cpu: 100m
+
+persistence:
+  enabled: true
+  size: 5Gi

base/devtools/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: devtools
+
+resources:
+  - namespace.yaml
+
+helmCharts:
+  # helm repo add gitea-charts https://dl.gitea.com/charts/
+  # Note: Gitea chart v10+ replaced Redis with Valkey-cluster by default.
+  # We disable bundled DB/cache (external CloudNativePG + Redis — see gitea-values.yaml).
+  - name: gitea
+    repo: https://dl.gitea.com/charts/
+    version: "12.5.0"
+    releaseName: gitea
+    namespace: devtools
+    valuesFile: gitea-values.yaml

base/devtools/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: devtools
+  annotations:
+    linkerd.io/inject: enabled