feat(infra): production bootstrap — cert-manager, longhorn, monitoring

Add new bases for cert-manager (Let's Encrypt + wildcard cert), Longhorn
distributed storage, and monitoring (kube-prometheus-stack + Loki + Tempo
+ Grafana OIDC). Add cloud-init for Scaleway Elastic Metal provisioning.

Production overlay: add patches for postgres sizing, SeaweedFS volume,
OpenSearch storage, LiveKit service, Pingora host ports, resource limits,
and CNPG daily barman backups. Update cert-manager.yaml with full dnsNames
for all *.sunbeam.pt subdomains.

base/longhorn/values.yaml

@@ -0,0 +1,24 @@
+# Longhorn distributed block storage
+# Single-node production deployment — RAID1 hardware already provides redundancy.
+
+defaultSettings:
+  # 1 replica: RAID1 mirrors the disk, so software replication adds no benefit
+  # on a single node and would halve available capacity.
+  defaultReplicaCount: 1
+
+  # Orphan auto-deletion: clean up node/instance orphaned resources automatically
+  orphanAutoDeletion: true
+
+  # Allow volumes to be scheduled on the only available node even when disk
+  # pressure is detected (single-node: no other node to reschedule to).
+  allowVolumeCreationWithDegradedAvailability: true
+
+  # Reduce reserved percentage to 10% — RAID1 hardware provides physical redundancy,
+  # so Longhorn doesn't need to hold back 30% for software replicas.
+  # With 937 GiB disk: 843 GiB schedulable (600 SW + 100 PG + ~143 headroom).
+  storageReservedPercentageForDefaultDisk: 10
+
+# Set Longhorn as the default StorageClass.
+persistence:
+  defaultClass: true
+  defaultClassReplicaCount: 1