feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA

Ingress:
- Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder
- HTTPS termination with mkcert (local) / rustls-acme (production)
- Host-prefix routing with path-based sub-routing for auth virtual host:
  /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui
- HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub
- cert-manager HTTP-01 ACME challenge routing via Ingress watcher
- RBAC for Ingress watcher (pingora-watcher ClusterRole)
- local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict

Infrastructure:
- socket_vmnet shared network for host↔VM reachability (192.168.105.2)
- local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution
- Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods
- Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25
- Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values

scripts/local-up.sh

@@ -75,8 +75,22 @@ fi
 limactl shell sunbeam sudo rm -f /var/lib/rancher/k3s/server/manifests/traefik.yaml 2>/dev/null || true
 
 # ---------------------------------------------------------------------------
-# 5. Install Gateway API CRDs + Linkerd via CLI
+# 5. Install cert-manager
 # ---------------------------------------------------------------------------
+if ! kubectl $CTX get ns cert-manager &>/dev/null; then
+  echo "==> Installing cert-manager..."
+  kubectl $CTX apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml
+  echo "    Waiting for cert-manager webhooks..."
+  kubectl $CTX -n cert-manager rollout status deployment/cert-manager --timeout=120s
+  kubectl $CTX -n cert-manager rollout status deployment/cert-manager-webhook --timeout=120s
+  kubectl $CTX -n cert-manager rollout status deployment/cert-manager-cainjector --timeout=120s
+  echo "    cert-manager installed."
+else
+  echo "==> cert-manager already installed."
+fi
+
+# ---------------------------------------------------------------------------
+# 6. Install Gateway API CRDs + Linkerd via CLI# ---------------------------------------------------------------------------
 if ! kubectl $CTX get ns linkerd &>/dev/null; then
   echo "==> Installing Gateway API CRDs..."
   kubectl $CTX apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
@@ -95,9 +109,13 @@ else
 fi
 
 # ---------------------------------------------------------------------------
-# 6. Generate mkcert wildcard cert
-# ---------------------------------------------------------------------------
-LIMA_IP=$(limactl shell sunbeam hostname -I | awk '{print $1}')
+# 7. Generate mkcert wildcard cert# ---------------------------------------------------------------------------
+# Use eth1 (socket_vmnet shared network) — the address reachable from the Mac host.
+LIMA_IP=$(limactl shell sunbeam ip -4 addr show eth1 2>/dev/null | awk '/inet / {print $2}' | cut -d/ -f1)
+if [[ -z "$LIMA_IP" ]]; then
+  # Fallback: first non-loopback IP (works on first-boot before eth1 is up)
+  LIMA_IP=$(limactl shell sunbeam hostname -I | awk '{print $1}')
+fi
 DOMAIN="${LIMA_IP}.sslip.io"
 SECRETS_DIR="$REPO_ROOT/secrets/local"
 
@@ -114,8 +132,7 @@ else
 fi
 
 # ---------------------------------------------------------------------------
-# 7. Create TLS Secret in ingress namespace
-# ---------------------------------------------------------------------------
+# 8. Create TLS Secret in ingress namespace# ---------------------------------------------------------------------------
 echo "==> Applying TLS Secret to ingress namespace..."
 kubectl $CTX create namespace ingress --dry-run=client -o yaml | kubectl $CTX apply -f -
 kubectl $CTX create secret tls pingora-tls \
@@ -125,8 +142,7 @@ kubectl $CTX create secret tls pingora-tls \
   --dry-run=client -o yaml | kubectl $CTX apply -f -
 
 # ---------------------------------------------------------------------------
-# 8. Apply manifests (server-side apply handles large CRDs)
-# ---------------------------------------------------------------------------
+# 9. Apply manifests (server-side apply handles large CRDs)# ---------------------------------------------------------------------------
 echo "==> Applying manifests (domain: $DOMAIN)..."
 cd "$REPO_ROOT"
 kustomize build overlays/local --enable-helm | \
@@ -134,14 +150,12 @@ kustomize build overlays/local --enable-helm | \
   kubectl $CTX apply --server-side --force-conflicts -f -
 
 # ---------------------------------------------------------------------------
-# 9. Seed secrets (waits for postgres, creates K8s secrets, inits OpenBao)
-# ---------------------------------------------------------------------------
+# 10. Seed secrets (waits for postgres, creates K8s secrets, inits OpenBao)# ---------------------------------------------------------------------------
 echo "==> Seeding secrets..."
 bash "$SCRIPT_DIR/local-seed-secrets.sh"
 
 # ---------------------------------------------------------------------------
-# 10. Restart deployments that were waiting for secrets
-# ---------------------------------------------------------------------------
+# 11. Restart deployments that were waiting for secrets# ---------------------------------------------------------------------------
 echo "==> Restarting services that were waiting for secrets..."
 for ns_deploy in \
   "ory/hydra" \
@@ -157,8 +171,7 @@ for ns_deploy in \
 done
 
 # ---------------------------------------------------------------------------
-# 11. Wait for core components
-# ---------------------------------------------------------------------------
+# 12. Wait for core components# ---------------------------------------------------------------------------
 echo "==> Waiting for Valkey..."
 kubectl $CTX rollout status deployment/valkey -n data --timeout=120s || true
 
@@ -169,8 +182,7 @@ echo "==> Waiting for Hydra..."
 kubectl $CTX rollout status deployment/hydra -n ory --timeout=120s || true
 
 # ---------------------------------------------------------------------------
-# 12. Print URLs
-# ---------------------------------------------------------------------------
+# 13. Print URLs# ---------------------------------------------------------------------------
 echo ""
 echo "==> Stack is up. Domain: $DOMAIN"
 echo ""
@@ -182,6 +194,7 @@ echo "  Drive:   https://drive.${DOMAIN}/"
 echo "  Chat:    https://chat.${DOMAIN}/"
 echo "  People:  https://people.${DOMAIN}/"
 echo "  Gitea:   https://src.${DOMAIN}/"
+echo "  Mailpit: https://mailpit.${DOMAIN}/  (captured outbound email)"
 echo ""
 echo "OpenBao UI: kubectl $CTX -n data port-forward svc/openbao 8200:8200"
 echo "            http://localhost:8200  (token from: kubectl $CTX -n data get secret openbao-keys -o jsonpath='{.data.root-token}' | base64 -d)"