checkpoint: stalwart deploy, beam-design, migration scripts, config tweaks

Stalwart + Bulwark mail server deployment with OIDC, TLS cert, vault
secrets. Beam design service. Pingora config cleanup. SeaweedFS
replication fix. Kratos values tweak. Migration scripts for mbox/messages
/calendars from La Suite to Stalwart.

base/ingress/pingora-config.yaml

@@ -167,19 +167,7 @@ data:
       prefix  = "/.well-known/"
       backend = "http://stalwart.stalwart.svc.cluster.local:8080"
 
-      # Stalwart OAuth2 endpoints (/authorize/code, /auth/token, /auth/device)
-      [[routes.paths]]
-      prefix  = "/authorize"
-      backend = "http://stalwart.stalwart.svc.cluster.local:8080"
 
-      [[routes.paths]]
-      prefix  = "/auth/"
-      backend = "http://stalwart.stalwart.svc.cluster.local:8080"
-
-      # Stalwart login page (used during OAuth flow)
-      [[routes.paths]]
-      prefix  = "/login"
-      backend = "http://stalwart.stalwart.svc.cluster.local:8080"
 
     [[routes]]
     host_prefix = "messages"
@@ -401,20 +389,8 @@ data:
     host_prefix = "build"
     backend     = "buildkitd.build.svc.cluster.local:1234"
 
-    # SMTP inbound: port 25 → Stalwart for mail delivery.
-    [smtp]
-    listen  = "0.0.0.0:25"
-    backend = "stalwart.stalwart.svc.cluster.local:25"
-
-    # SMTP submission: port 587 → Stalwart for authenticated sending.
-    [smtp-submission]
-    listen  = "0.0.0.0:587"
-    backend = "stalwart.stalwart.svc.cluster.local:587"
-
-    # IMAPS: port 993 → Stalwart for desktop/mobile email clients.
-    [imaps]
-    listen  = "0.0.0.0:993"
-    backend = "stalwart.stalwart.svc.cluster.local:993"
+    # SMTP/IMAP ports are exposed directly on the Stalwart pod via hostPort
+    # (see overlays/production/kustomization.yaml), not through Pingora.
 
     # SSH TCP passthrough: port 22 → Gitea SSH pod (headless service → pod:2222).
     [ssh]