feat(infra): production bootstrap — cert-manager, longhorn, monitoring

Add new bases for cert-manager (Let's Encrypt + wildcard cert), Longhorn
distributed storage, and monitoring (kube-prometheus-stack + Loki + Tempo
+ Grafana OIDC). Add cloud-init for Scaleway Elastic Metal provisioning.

Production overlay: add patches for postgres sizing, SeaweedFS volume,
OpenSearch storage, LiveKit service, Pingora host ports, resource limits,
and CNPG daily barman backups. Update cert-manager.yaml with full dnsNames
for all *.sunbeam.pt subdomains.

overlays/production/kustomization.yaml

@@ -3,14 +3,12 @@ kind: Kustomization
 
 # Production overlay — targets Scaleway Elastic Metal (Paris)
 #
-# Deploy (DOMAIN_SUFFIX and ACME_EMAIL are substituted by sed):
-#   DOMAIN="yourdomain.com" EMAIL="ops@yourdomain.com"
-#   kustomize build overlays/production/ \
-#     | sed -e "s/DOMAIN_SUFFIX/${DOMAIN}/g" -e "s/ACME_EMAIL/${EMAIL}/g" \
-#     | kubectl apply --server-side --force-conflicts -f -
+# Deploy (DOMAIN_SUFFIX and ACME_EMAIL are substituted by sunbeam apply):
+#   sunbeam apply --env production --domain yourdomain.com
 
 resources:
-  - ../../base/mesh
+  - ../../base/longhorn
+  - ../../base/cert-manager
   - ../../base/ingress
   - ../../base/ory
   - ../../base/data
@@ -18,20 +16,42 @@ resources:
   - ../../base/lasuite
   - ../../base/media
   - ../../base/devtools
+  - ../../base/vso
+  - ../../base/monitoring
   # cert-manager ClusterIssuer + Certificate (requires cert-manager to be installed)
   - cert-manager.yaml
+  # CNPG daily backup schedule
+  - postgres-scheduled-backup.yaml
 
 images:
-  # Set to your container registry. DOMAIN_SUFFIX is substituted by sed.
-  - name: sunbeam-proxy
-    newName: src.DOMAIN_SUFFIX/sunbeam/sunbeam-proxy
+  # La Gaufre integration service — built and pushed by `sunbeam build integration`
+  - name: integration
+    newName: src.DOMAIN_SUFFIX/studio/integration
+    newTag: latest
+
+  # Meet — built from source and pushed to Gitea registry.
+  - name: meet-backend
+    newName: src.DOMAIN_SUFFIX/studio/meet-backend
+    newTag: latest
+  - name: meet-frontend
+    newName: src.DOMAIN_SUFFIX/studio/meet-frontend
     newTag: latest
 
 patches:
-  - path: values-pingora.yaml
+  # Pingora host ports — bind :80/:443 to the host network
+  - path: patch-pingora-hostport.yaml
 
-  # TODO: set OIDC redirect URIs to https://*.sunbeam.pt/...
-  # - path: values-ory.yaml
+  # Production resource limits for 64 GiB server
+  - path: values-resources.yaml
 
-  # TODO: set production resource limits (64 GB server)
-  # - path: values-resources.yaml
+  # LiveKit TURN service: ClusterIP (Pingora routes TURN traffic on :443)
+  - path: patch-livekit-service.yaml
+
+  # CNPG: production sizing (500 Gi, 8 Gi RAM) + barman S3 backup config
+  - path: patch-postgres-production.yaml
+
+  # OpenSearch: expand PVC to 50 Gi
+  - path: patch-opensearch-storage.yaml
+
+  # SeaweedFS volume: expand PVC to 600 Gi
+  - path: patch-seaweedfs-volume-size.yaml