feat(infra): production bootstrap — cert-manager, longhorn, monitoring

Add new bases for cert-manager (Let's Encrypt + wildcard cert), Longhorn
distributed storage, and monitoring (kube-prometheus-stack + Loki + Tempo
+ Grafana OIDC). Add cloud-init for Scaleway Elastic Metal provisioning.

Production overlay: add patches for postgres sizing, SeaweedFS volume,
OpenSearch storage, LiveKit service, Pingora host ports, resource limits,
and CNPG daily barman backups. Update cert-manager.yaml with full dnsNames
for all *.sunbeam.pt subdomains.

cloud-init.yaml

@@ -0,0 +1,47 @@
+#cloud-config
+# Scaleway Elastic Metal — latest Debian
+# Provisions: sienna user w/ GitHub SSH keys, k3s (traefik disabled)
+
+users:
+  - name: sienna
+    groups: [sudo]
+    shell: /bin/bash
+    sudo: "ALL=(ALL) NOPASSWD:ALL"
+    ssh_import_id:
+      - gh:siennathesane
+
+# Lock root and default debian user from password auth (SSH keys only)
+disable_root: true
+
+package_update: true
+package_upgrade: true
+
+packages:
+  - curl
+  - ca-certificates
+  - jq
+
+# Write k3s config before the installer runs so traefik is never started
+write_files:
+  - path: /etc/rancher/k3s/config.yaml
+    owner: root:root
+    permissions: "0644"
+    content: |
+      disable:
+        - traefik
+
+runcmd:
+  # Install k3s (picks up /etc/rancher/k3s/config.yaml automatically)
+  - curl -sfL https://get.k3s.io | sh -
+  # Allow sienna to use kubectl without sudo
+  - mkdir -p /home/sienna/.kube
+  - cp /etc/rancher/k3s/k3s.yaml /home/sienna/.kube/config
+  - chown -R sienna:sienna /home/sienna/.kube
+  - chmod 600 /home/sienna/.kube/config
+  # Fix server address in kubeconfig (loopback is fine for local use)
+  - systemctl enable --now k3s
+
+final_message: |
+  Sunbeam node ready. k3s installed, traefik disabled.
+  SSH: ssh sienna@<server-ip>
+  kubectl: KUBECONFIG=~/.kube/config kubectl get nodes