feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA

Ingress:
- Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder
- HTTPS termination with mkcert (local) / rustls-acme (production)
- Host-prefix routing with path-based sub-routing for auth virtual host:
  /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui
- HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub
- cert-manager HTTP-01 ACME challenge routing via Ingress watcher
- RBAC for Ingress watcher (pingora-watcher ClusterRole)
- local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict

Infrastructure:
- socket_vmnet shared network for host↔VM reachability (192.168.105.2)
- local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution
- Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods
- Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25
- Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values

base/ingress/pingora-config.yaml

@@ -5,39 +5,39 @@ metadata:
   namespace: ingress
 data:
   config.toml: |
-    # Pingora hostname routing table
-    # The domain suffix (sunbeam.pt / <LIMA_IP>.sslip.io) is patched per overlay.
-    # TLS cert source (rustls-acme / mkcert) is patched per overlay.
-
-    [tls]
-    cert_path = "/etc/tls/tls.crt"
-    key_path  = "/etc/tls/tls.key"
-    # acme = true  # Uncommented in production overlay (rustls-acme + Let's Encrypt)
-    acme = false
+    # Sunbeam proxy config.
+    #
+    # Substitution placeholders (replaced by sed at deploy time):
+    #   DOMAIN_SUFFIX — e.g. <LIMA_IP>.sslip.io (local) or yourdomain.com (production)
 
     [listen]
     http  = "0.0.0.0:80"
     https = "0.0.0.0:443"
 
-    [turn]
-    backend             = "livekit.media.svc.cluster.local:7880"
-    udp_listen          = "0.0.0.0:3478"
-    relay_port_start    = 49152
-    relay_port_end      = 49252
+    [tls]
+    # Cert files are written here by the proxy on startup and on cert renewal
+    # via the K8s API.  The /etc/tls directory is an emptyDir volume.
+    cert_path = "/etc/tls/tls.crt"
+    key_path  = "/etc/tls/tls.key"
 
-    # Host-prefix → backend mapping.
-    # Pingora matches on the subdomain prefix regardless of domain suffix,
-    # so these routes work identically for sunbeam.pt and *.sslip.io.
+    [telemetry]
+    # Empty = OTEL disabled. Set to http://otel-collector.data.svc:4318 when ready.
+    otlp_endpoint = ""
+
+    # Host-prefix → backend routing table.
+    # The prefix is the subdomain before the first dot, so these routes work
+    # identically for yourdomain.com and *.sslip.io.
+    # Edit to match your own service names and namespaces.
 
     [[routes]]
     host_prefix = "docs"
     backend     = "http://docs.lasuite.svc.cluster.local:8000"
-    websocket   = true   # Y.js CRDT sync
+    websocket   = true
 
     [[routes]]
     host_prefix = "meet"
     backend     = "http://meet.lasuite.svc.cluster.local:8000"
-    websocket   = true   # LiveKit signaling
+    websocket   = true
 
     [[routes]]
     host_prefix = "drive"
@@ -50,7 +50,7 @@ data:
     [[routes]]
     host_prefix = "chat"
     backend     = "http://conversations.lasuite.svc.cluster.local:8000"
-    websocket   = true   # Vercel AI SDK streaming
+    websocket   = true
 
     [[routes]]
     host_prefix = "people"
@@ -58,12 +58,31 @@ data:
 
     [[routes]]
     host_prefix = "src"
-    backend     = "http://gitea.devtools.svc.cluster.local:3000"
-    websocket   = true   # Gitea Actions runner
+    backend     = "http://gitea-http.devtools.svc.cluster.local:3000"
+    websocket   = true
 
+    # auth: login-ui handles browser UI; Hydra handles OAuth2/OIDC; Kratos handles self-service flows.
     [[routes]]
     host_prefix = "auth"
-    backend     = "http://hydra.ory.svc.cluster.local:4444"
+    backend     = "http://login-ui.ory.svc.cluster.local:3000"
+
+      [[routes.paths]]
+      prefix   = "/oauth2"
+      backend  = "http://hydra-public.ory.svc.cluster.local:4444"
+
+      [[routes.paths]]
+      prefix   = "/.well-known"
+      backend  = "http://hydra-public.ory.svc.cluster.local:4444"
+
+      [[routes.paths]]
+      prefix   = "/userinfo"
+      backend  = "http://hydra-public.ory.svc.cluster.local:4444"
+
+      # /kratos prefix is stripped before forwarding so Kratos sees its native paths.
+      [[routes.paths]]
+      prefix        = "/kratos"
+      backend       = "http://kratos-public.ory.svc.cluster.local:4433"
+      strip_prefix  = true
 
     [[routes]]
     host_prefix = "s3"