feat: bring up local dev stack — all services running

- Ory Hydra + Kratos: fixed secret management, DSN config, DB migrations,
  OAuth2Client CRD (helm template skips crds/ dir), login-ui env vars
- SeaweedFS: added s3.json credentials file via -s3.config CLI flag
- OpenBao: standalone mode with auto-unseal sidecar, keys in K8s secret
- OpenSearch: increased memory to 1.5Gi / JVM 1g heap
- Gitea: SSL_MODE disable, S3 bucket creation fixed
- Hive: automountServiceAccountToken: false (Lima virtiofs read-only rootfs quirk)
- LiveKit: API keys in values, hostPort conflict resolved
- Linkerd: native sidecar (proxy.nativeSidecar=true) to avoid blocking Jobs
- All placeholder images replaced: pingora→nginx:alpine, login-ui→oryd/kratos-selfservice-ui-node

Full stack running: postgres, valkey, openbao, opensearch, seaweedfs,
kratos, hydra, gitea, livekit, hive (placeholder), login-ui

base/ory/hydra-values.yaml

@@ -1,11 +1,13 @@
 # Base Ory Hydra Helm values.
-# DOMAIN_SUFFIX is replaced by overlay patches.
-# DSN and system secrets come from the overlay-specific Secret.
+# DOMAIN_SUFFIX is replaced at apply time via sed.
+# secret.enabled: false — we create the "hydra" K8s Secret via seed script.
+# DSN is set in config (chart strips it from env, so must be in values).
 
 hydra:
+  automigration:
+    enabled: true
   config:
-    dsn: "postgresql://hydra:$(HYDRA_DB_PASSWORD)@postgres-rw.data.svc.cluster.local:5432/hydra_db"
-
+    dsn: "postgresql://hydra:localdev@postgres-rw.data.svc.cluster.local:5432/hydra_db?sslmode=disable"
     urls:
       self:
         issuer: https://auth.DOMAIN_SUFFIX/
@@ -14,19 +16,6 @@ hydra:
       logout: https://auth.DOMAIN_SUFFIX/logout
       error: https://auth.DOMAIN_SUFFIX/error
 
-    secrets:
-      system:
-        - $(HYDRA_SYSTEM_SECRET)
-      cookie:
-        - $(HYDRA_COOKIE_SECRET)
-
-    oidc:
-      subject_identifiers:
-        supported_types:
-          - public
-        pairwise:
-          salt: $(HYDRA_PAIRWISE_SALT)
-
     serve:
       cookies:
         same_site_mode: Lax
@@ -36,6 +25,11 @@ hydra:
           allowed_origins:
             - https://*.DOMAIN_SUFFIX
 
+# Disable chart's secret generation — we create the "hydra" secret via seed script
+# with keys: secretsSystem, secretsCookie, pairwise-salt.
+secret:
+  enabled: false
+
 deployment:
   resources:
     limits: