feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA

Ingress:
- Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder
- HTTPS termination with mkcert (local) / rustls-acme (production)
- Host-prefix routing with path-based sub-routing for auth virtual host:
  /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui
- HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub
- cert-manager HTTP-01 ACME challenge routing via Ingress watcher
- RBAC for Ingress watcher (pingora-watcher ClusterRole)
- local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict

Infrastructure:
- socket_vmnet shared network for host↔VM reachability (192.168.105.2)
- local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution
- Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods
- Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25
- Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values

base/lasuite/kustomization.yaml

@@ -5,6 +5,7 @@ namespace: lasuite
 
 resources:
   - namespace.yaml
+  - postfix-deployment.yaml
   - hive-config.yaml
   - hive-deployment.yaml
   - hive-service.yaml

base/lasuite/postfix-deployment.yaml

@@ -0,0 +1,81 @@
+# Postfix MTA for the Messages email platform.
+#
+# MTA-out: accepts SMTP from cluster-internal services (Kratos, Messages Django),
+#          signs with DKIM, and relays outbound via Scaleway TEM.
+#
+# MTA-in: receives inbound email from the internet (routed via Pingora on port 25).
+#         In local dev, no MX record points here so inbound never arrives.
+#
+# Credentials: Secret "postfix-tem-credentials" with keys:
+#   smtp_user     — Scaleway TEM SMTP username (project ID)
+#   smtp_password — Scaleway TEM SMTP password (API key)
+#
+# DKIM keys: Secret "postfix-dkim" with key:
+#   private.key   — DKIM private key for sunbeam.pt (generated once; add DNS TXT record)
+#   selector      — DKIM selector (e.g. "mail")
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postfix
+  namespace: lasuite
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postfix
+  template:
+    metadata:
+      labels:
+        app: postfix
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - name: postfix
+          image: boky/postfix:latest
+          ports:
+            - name: smtp
+              containerPort: 25
+              protocol: TCP
+          env:
+            # Accept mail from all cluster-internal pods.
+            - name: MYNETWORKS
+              value: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8"
+            # Sending domain — replaced by sed at deploy time.
+            - name: ALLOWED_SENDER_DOMAINS
+              value: "DOMAIN_SUFFIX"
+            # Scaleway TEM outbound relay.
+            - name: RELAYHOST
+              value: "[smtp.tem.scw.cloud]:587"
+            - name: SASL_USER
+              valueFrom:
+                secretKeyRef:
+                  name: postfix-tem-credentials
+                  key: smtp_user
+                  optional: true  # allows pod to start before secret exists
+            - name: SASL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postfix-tem-credentials
+                  key: smtp_password
+                  optional: true
+          resources:
+            limits:
+              memory: 64Mi
+            requests:
+              memory: 32Mi
+              cpu: 10m
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postfix
+  namespace: lasuite
+spec:
+  selector:
+    app: postfix
+  ports:
+    - name: smtp
+      port: 25
+      targetPort: 25
+      protocol: TCP