feat(infra): production bootstrap — cert-manager, longhorn, monitoring

Add new bases for cert-manager (Let's Encrypt + wildcard cert), Longhorn
distributed storage, and monitoring (kube-prometheus-stack + Loki + Tempo
+ Grafana OIDC). Add cloud-init for Scaleway Elastic Metal provisioning.

Production overlay: add patches for postgres sizing, SeaweedFS volume,
OpenSearch storage, LiveKit service, Pingora host ports, resource limits,
and CNPG daily barman backups. Update cert-manager.yaml with full dnsNames
for all *.sunbeam.pt subdomains.

overlays/production/patch-postgres-production.yaml

@@ -0,0 +1,45 @@
+# Production CNPG cluster sizing for 12-core, 64 GiB Elastic Metal.
+# Barman backs up WAL + base backups to Scaleway Object Storage (s3://sunbeam-backups/postgres).
+# barman-s3-creds K8s Secret is synced by VSO from secret/scaleway-s3 in OpenBao.
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres
+  namespace: data
+spec:
+  instances: 1
+
+  postgresql:
+    parameters:
+      max_connections: "200"
+      shared_buffers: "2GB"
+      effective_cache_size: "6GB"
+      work_mem: "16MB"
+      maintenance_work_mem: "512MB"
+
+  storage:
+    size: 100Gi
+
+  resources:
+    requests:
+      memory: 4Gi
+      cpu: "2"
+    limits:
+      memory: 8Gi
+
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://sunbeam-backups/postgres"
+      endpointURL: "https://s3.fr-par.scw.cloud"
+      s3Credentials:
+        accessKeyId:
+          name: barman-s3-creds
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: barman-s3-creds
+          key: ACCESS_SECRET_KEY
+      wal:
+        compression: gzip
+      data:
+        compression: gzip
+    retentionPolicy: "30d"