From d32d1435f9d792ab718323580715a45a91f453de Mon Sep 17 00:00:00 2001
From: Sienna Meridian Satterwhite <sienna@r3t.io>
Date: Fri, 6 Mar 2026 12:07:28 +0000
Subject: [PATCH] feat(infra): data, storage, devtools, and ory layer updates

- data: CNPG cluster tuning, OpenBao values, OpenSearch deployment fixes,
  OpenSearch PVC, barman vault secret for S3 backup credentials
- storage: SeaweedFS filer updates (s3.json via secret subPath), PVC for
  filer persistent storage
- devtools: Gitea values (SSH service, custom theme), gitea-theme-cm ConfigMap
- ory: add kratos-selfservice-urls.yaml for self-service flow URLs
- media: LiveKit values updated (TURN config, STUN, resource limits)
- vso: kustomization cleanup
---
 base/data/barman-vault-secret.yaml    |  39 ++++
 base/data/kustomization.yaml          |   2 +
 base/data/openbao-values.yaml         |   3 +
 base/data/opensearch-deployment.yaml  |   7 +
 base/data/opensearch-pvc.yaml         |  10 +
 base/data/postgres-cluster.yaml       |   5 +-
 base/devtools/gitea-theme-cm.yaml     | 282 ++++++++++++++++++++++++++
 base/devtools/gitea-values.yaml       |  50 ++++-
 base/devtools/kustomization.yaml      |   1 +
 base/media/livekit-values.yaml        |  16 +-
 base/ory/kratos-selfservice-urls.yaml |  23 +++
 base/ory/kustomization.yaml           |   5 +-
 base/storage/kustomization.yaml       |   1 +
 base/storage/seaweedfs-filer-pvc.yaml |  10 +
 base/storage/seaweedfs-filer.yaml     |  10 +-
 base/vso/kustomization.yaml           |   1 -
 justfile                              |   4 -
 17 files changed, 454 insertions(+), 15 deletions(-)
 create mode 100644 base/data/barman-vault-secret.yaml
 create mode 100644 base/data/opensearch-pvc.yaml
 create mode 100644 base/devtools/gitea-theme-cm.yaml
 create mode 100644 base/ory/kratos-selfservice-urls.yaml
 create mode 100644 base/storage/seaweedfs-filer-pvc.yaml

diff --git a/base/data/barman-vault-secret.yaml b/base/data/barman-vault-secret.yaml
new file mode 100644
index 0000000..9b3ed7c
--- /dev/null
+++ b/base/data/barman-vault-secret.yaml
@@ -0,0 +1,39 @@
+---
+# VaultAuth for VSO to authenticate in the data namespace.
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vso-auth
+  namespace: data
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: vso
+    serviceAccount: default
+---
+# Scaleway S3 credentials for CNPG barman backups.
+# OpenBao KV path: secret/scaleway-s3 (keys: access-key-id, secret-access-key)
+# Seeded by: sunbeam seed (reads from scw CLI config)
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: barman-s3-creds
+  namespace: data
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: scaleway-s3
+  refreshAfter: 30s
+  destination:
+    name: barman-s3-creds
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        ACCESS_KEY_ID:
+          text: "{{ index .Secrets \"access-key-id\" }}"
+        ACCESS_SECRET_KEY:
+          text: "{{ index .Secrets \"secret-access-key\" }}"
diff --git a/base/data/kustomization.yaml b/base/data/kustomization.yaml
index 4df1e65..16dd8ed 100644
--- a/base/data/kustomization.yaml
+++ b/base/data/kustomization.yaml
@@ -10,7 +10,9 @@ resources:
   - valkey-service.yaml
   - opensearch-deployment.yaml
   - opensearch-service.yaml
+  - opensearch-pvc.yaml
   - openbao-keys-placeholder.yaml
+  - barman-vault-secret.yaml
 
 helmCharts:
   # helm repo add cnpg https://cloudnative-pg.github.io/charts
diff --git a/base/data/openbao-values.yaml b/base/data/openbao-values.yaml
index 531e3e8..4022d4d 100644
--- a/base/data/openbao-values.yaml
+++ b/base/data/openbao-values.yaml
@@ -17,6 +17,9 @@ server:
     registry: quay.io
     repository: openbao/openbao
 
+  # Disable anti-affinity — single-node cluster.
+  affinity: ""
+
   standalone:
     enabled: true
     config: |
diff --git a/base/data/opensearch-deployment.yaml b/base/data/opensearch-deployment.yaml
index 587cbc9..385adf9 100644
--- a/base/data/opensearch-deployment.yaml
+++ b/base/data/opensearch-deployment.yaml
@@ -42,3 +42,10 @@ spec:
             requests:
               memory: 768Mi
               cpu: 100m
+          volumeMounts:
+            - name: data
+              mountPath: /usr/share/opensearch/data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: opensearch-data
diff --git a/base/data/opensearch-pvc.yaml b/base/data/opensearch-pvc.yaml
new file mode 100644
index 0000000..afd6738
--- /dev/null
+++ b/base/data/opensearch-pvc.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: opensearch-data
+  namespace: data
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 10Gi
diff --git a/base/data/postgres-cluster.yaml b/base/data/postgres-cluster.yaml
index 6794232..b7133ef 100644
--- a/base/data/postgres-cluster.yaml
+++ b/base/data/postgres-cluster.yaml
@@ -16,8 +16,9 @@ spec:
     initdb:
       database: postgres
       owner: postgres
-      secret:
-        name: postgres-superuser
+      # No `secret` field — CNPG auto-generates a random superuser password
+      # and stores it in the `postgres-superuser` Secret. sunbeam seed reads
+      # that Secret to configure the OpenBao database secrets engine.
       postInitSQL:
         # Create all 10 logical databases and their owners.
         # Passwords are set by the seed-secrets script via ALTER USER after init.
diff --git a/base/devtools/gitea-theme-cm.yaml b/base/devtools/gitea-theme-cm.yaml
new file mode 100644
index 0000000..17ede88
--- /dev/null
+++ b/base/devtools/gitea-theme-cm.yaml
@@ -0,0 +1,282 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-custom-theme
+  namespace: devtools
+data:
+  theme-sunbeam.css: |
+    /* theme-sunbeam.css — O Estúdio theme for Gitea
+     * Dark navy background + amber/honey primary, Ysabeau + Monaspace Neon.
+     * Based on cunningham.ts estudioTheme from people/desk.
+     */
+
+    /* ── Base: inherit all gitea-dark variables, then override ─── */
+    @import url("/assets/css/theme-gitea-dark.css");
+
+    /* ── Font imports ──────────────────────────────────────────── */
+
+    /* Ysabeau Variable (UI font) — from Google Fonts */
+    @import url('https://fonts.googleapis.com/css2?family=Ysabeau:ital,wght@0,1..1000;1,1..1000&display=swap');
+
+    /* Monaspace Neon Variable (code font) — from jsDelivr */
+    @font-face {
+      font-family: 'Monaspace Neon';
+      src: url('https://cdn.jsdelivr.net/npm/@github/monaspace@1.101/dist/fonts/variable/MonaspaceNeonVarVF[wght,slnt].woff2') format('woff2');
+      font-weight: 200 800;
+      font-style: oblique 0deg 10deg;
+      font-display: swap;
+    }
+
+    /* ── Typography ─────────────────────────────────────────────── */
+
+    :root {
+      --fonts-regular:      'Ysabeau', -apple-system, 'Segoe UI', system-ui, sans-serif;
+      --fonts-proportional: 'Ysabeau', -apple-system, 'Segoe UI', system-ui, sans-serif;
+      --fonts-monospace:    'Monaspace Neon', ui-monospace, 'SFMono-Regular', 'SF Mono', Menlo, Consolas, 'Liberation Mono', monospace;
+    }
+
+    html, body {
+      font-size: 15px;
+      font-weight: 450;
+    }
+
+    /* Monaspace OpenType features: texture healing + stylistic sets + ligatures */
+    pre, code, kbd, samp,
+    .diff-code-inner, .markup-block-diff,
+    [class*="cm-"], .CodeMirror {
+      font-feature-settings: "calt" 1, "ss01" 1, "ss02" 1, "ss03" 1, "ss04" 1,
+                             "ss05" 1, "ss06" 1, "ss07" 1, "ss08" 1, "liga" 1;
+    }
+
+    /* ── O Estúdio dark navy background ─────────────────────────── */
+    /* Greyscale from cunningham estudioTheme — inverted dark scale  */
+    /* Variable names verified against gitea-dark.css source         */
+
+    :root {
+      /* Page + nav */
+      --color-body:                    #0c1a2b; /* greyscale-000 */
+      --color-nav-bg:                  #182536; /* greyscale-100 */
+      --color-nav-hover-bg:            #303c4b; /* greyscale-200 */
+      --color-secondary-nav-bg:        #182536; /* greyscale-100 */
+
+      /* Boxes / cards */
+      --color-box-header:              #182536; /* greyscale-100 */
+      --color-box-body:                #0c1a2b; /* greyscale-000 */
+      --color-box-body-highlight:      #303c4b; /* greyscale-200 */
+      --color-card:                    #182536; /* greyscale-100 */
+      --color-menu:                    #182536; /* greyscale-100 */
+      --color-button:                  #182536; /* greyscale-100 */
+      --color-expand-button:           #303c4b; /* greyscale-200 */
+
+      /* Inputs / code */
+      --color-input-background:        #182536; /* greyscale-100 */
+      --color-input-toggle-background: #303c4b; /* greyscale-200 */
+      --color-code-bg:                 #0c1a2b; /* greyscale-000 */
+      --color-secondary-bg:            #303c4b; /* greyscale-200 */
+
+      /* Console (Actions log, SSH, etc.) */
+      --color-console-bg:              #0c1a2b; /* greyscale-000 */
+      --color-console-border:          #303c4b; /* greyscale-200 */
+      --color-console-hover-bg:        #182536; /* greyscale-100 */
+      --color-console-active-bg:       #303c4b; /* greyscale-200 */
+      --color-console-menu-bg:         #182536; /* greyscale-100 */
+      --color-console-menu-border:     #555f6b; /* greyscale-300 */
+
+      /* UI chrome */
+      --color-hover-opaque:            #303c4b; /* greyscale-200 */
+      --color-timeline:                #303c4b; /* greyscale-200 */
+      --color-grey:                    #555f6b; /* greyscale-300 */
+      --color-shadow-opaque:           #07111c;
+
+      /* Borders */
+      --color-input-border:            #303c4b; /* greyscale-200 */
+      --color-light-border:            #182536; /* greyscale-100 */
+
+      /* Secondary scale — full 13-dark / 4-light spectrum */
+      --color-secondary:               #182536; /* greyscale-100 */
+      --color-secondary-dark-1:        #0c1a2b; /* greyscale-000 */
+      --color-secondary-dark-2:        #07111c;
+      --color-secondary-dark-3:        #040b12;
+      --color-secondary-dark-4:        #020609;
+      --color-secondary-dark-5:        #010406;
+      --color-secondary-dark-6:        #000203;
+      --color-secondary-dark-7:        #000000;
+      --color-secondary-dark-8:        #000000;
+      --color-secondary-dark-9:        #000000;
+      --color-secondary-dark-10:       #000000;
+      --color-secondary-dark-11:       #000000;
+      --color-secondary-dark-12:       #000000;
+      --color-secondary-dark-13:       #000000;
+      --color-secondary-light-1:       #303c4b; /* greyscale-200 */
+      --color-secondary-light-2:       #555f6b; /* greyscale-300 */
+      --color-secondary-light-3:       #79818a; /* greyscale-400 */
+      --color-secondary-light-4:       #9ea3aa; /* greyscale-500 */
+
+      /* Text */
+      --color-text:                    #e7e8ea; /* greyscale-700 */
+      --color-text-dark:               #fafafb; /* greyscale-900 */
+      --color-text-light:              #c2c6ca; /* greyscale-600 */
+      --color-text-light-1:            #9ea3aa; /* greyscale-500 */
+      --color-text-light-2:            #79818a; /* greyscale-400 */
+      --color-text-light-3:            #555f6b; /* greyscale-300 */
+    }
+
+    /* ── O Estúdio amber/honey primary ──────────────────────────── */
+    /* Amber palette from cunningham estudioTheme                    */
+
+    :root {
+      --color-primary:          #f59e0b; /* primary-500 */
+      --color-primary-dark-1:   #d97706; /* primary-600 */
+      --color-primary-dark-2:   #b45309; /* primary-700 */
+      --color-primary-dark-3:   #92400e; /* primary-800 */
+      --color-primary-dark-4:   #78350f; /* primary-900 */
+      --color-primary-dark-5:   #5c2808;
+      --color-primary-dark-6:   #3e1a04;
+      --color-primary-dark-7:   #1c0d00;
+      --color-primary-light-1:  #fbbf24; /* primary-400 */
+      --color-primary-light-2:  #fcd34d; /* primary-300 */
+      --color-primary-light-3:  #fde68a; /* primary-200 */
+      --color-primary-light-4:  #fde9a0; /* primary-150 */
+      --color-primary-light-5:  #fef3c7; /* primary-100 */
+      --color-primary-light-6:  #fffbeb; /* primary-050 */
+      --color-primary-light-7:  #fffef5;
+
+      --color-primary-hover:    #d97706; /* primary-600 */
+      --color-primary-active:   #b45309; /* primary-700 */
+      /* Amber is bright — use warm dark for contrast text */
+      --color-primary-contrast: #1c1917; /* primary-bg */
+
+      /* primary-500 = rgb(245, 158, 11) */
+      --color-primary-alpha-10: rgba(245, 158, 11, 0.10);
+      --color-primary-alpha-20: rgba(245, 158, 11, 0.20);
+      --color-primary-alpha-30: rgba(245, 158, 11, 0.30);
+      --color-primary-alpha-40: rgba(245, 158, 11, 0.40);
+      --color-primary-alpha-50: rgba(245, 158, 11, 0.50);
+      --color-primary-alpha-60: rgba(245, 158, 11, 0.60);
+      --color-primary-alpha-70: rgba(245, 158, 11, 0.70);
+      --color-primary-alpha-80: rgba(245, 158, 11, 0.80);
+      --color-primary-alpha-90: rgba(245, 158, 11, 0.90);
+
+      /* Accent variables used by Gitea for highlights + native browser accent */
+      --color-accent:            #fbbf24; /* primary-400 */
+      --color-small-accent:      #fef3c7; /* primary-100 */
+      --color-highlight-fg:      #87651e;
+      --color-highlight-bg:      #352c1c;
+      --color-reaction-hover-bg: rgba(245, 158, 11, 0.20);
+      --color-reaction-active-bg: rgba(245, 158, 11, 0.30);
+      accent-color: #f59e0b;
+    }
+
+    /* ── Explicit amber overrides (belt-and-suspenders) ──────────── */
+    /* Belt-and-suspenders rules for elements that must be amber on   */
+    /* every page, in case CSS variable resolution has any gaps.      */
+
+    /* Primary buttons */
+    .ui.primary.button,
+    .ui.primary.buttons .button {
+      background: #f59e0b !important;
+      color: #1c1917 !important;
+    }
+    .ui.primary.button:hover,
+    .ui.primary.buttons .button:hover {
+      background: #d97706 !important;
+    }
+    .ui.primary.button:active,
+    .ui.primary.buttons .button:active {
+      background: #b45309 !important;
+    }
+    .ui.basic.primary.button,
+    .ui.basic.primary.buttons .button {
+      color: #f59e0b !important;
+      border-color: #f59e0b !important;
+      background: none !important;
+    }
+
+    /* Links */
+    a { color: #f59e0b; }
+    a:hover { color: #d97706; }
+
+    /* Active nav/tab items and underlines */
+    .ui.secondary.menu .active.item,
+    .ui.tabular.menu .active.item,
+    .menu .active.item {
+      border-color: #f59e0b !important;
+      color: #f59e0b !important;
+    }
+    .repository .file-list .item.selected,
+    .ui.menu .active.item:hover {
+      color: #f59e0b !important;
+    }
+
+    /* Active border on bottom of tabs */
+    .ui.pointing.secondary.menu .active.item,
+    .ui.pointing.secondary.menu .active.item:hover {
+      border-bottom-color: #f59e0b !important;
+    }
+
+    /* Labels and badges using primary */
+    .ui.label.primary, .ui.labels.primary .label {
+      background: #f59e0b !important;
+      color: #1c1917 !important;
+    }
+
+    /* Gitea logo — inline SVG fallback (1.25+ uses <img>, see logo.svg mount) */
+    .gitea-logo, svg.gitea-logo path { fill: #f59e0b !important; }
+
+    /* ── Dark overrides for Fomantic UI message components ───────── */
+    /* index.css uses hardcoded light-theme hex values for these;     */
+    /* they must be overridden explicitly — CSS vars don't reach them. */
+
+    .ui.message {
+      background: var(--color-secondary) !important;
+      color: var(--color-text) !important;
+      box-shadow: none !important;
+    }
+    .ui.warning.message,
+    .ui.yellow.message {
+      background: var(--color-warning-bg) !important;
+      color: var(--color-warning-text) !important;
+      border-color: var(--color-warning-border) !important;
+    }
+    .ui.warning.message .header,
+    .ui.yellow.message .header {
+      color: var(--color-warning-text) !important;
+    }
+    .ui.negative.message,
+    .ui.error.message,
+    .ui.red.message {
+      background: var(--color-error-bg) !important;
+      color: var(--color-error-text) !important;
+      border-color: var(--color-error-border) !important;
+    }
+    .ui.negative.message .header,
+    .ui.error.message .header {
+      color: var(--color-error-text) !important;
+    }
+    .ui.positive.message,
+    .ui.success.message,
+    .ui.green.message {
+      background: var(--color-success-bg) !important;
+      color: var(--color-success-text) !important;
+      border-color: var(--color-success-border) !important;
+    }
+    .ui.info.message,
+    .ui.teal.message,
+    .ui.blue.message {
+      background: var(--color-info-bg) !important;
+      color: var(--color-info-text) !important;
+      border-color: var(--color-info-border) !important;
+    }
+
+    /* Dropdown warning state (also hardcoded in index.css) */
+    .ui.selection.dropdown.warning {
+      background: var(--color-input-background) !important;
+      border-color: var(--color-warning-border) !important;
+      color: var(--color-text) !important;
+    }
+
+  # Amber Gitea logo — replaces the default green logo.svg
+  # Gitea 1.25+ serves the logo as <img src="/assets/img/logo.svg">, so CSS
+  # fill rules don't apply. We mount a custom amber SVG instead.
+  logo.svg: |
+    <svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" viewBox="0 0 640 640" width="32" height="32"><path d="m395.9 484.2-126.9-61c-12.5-6-17.9-21.2-11.8-33.8l61-126.9c6-12.5 21.2-17.9 33.8-11.8 17.2 8.3 27.1 13 27.1 13l-.1-109.2 16.7-.1.1 117.1s57.4 24.2 83.1 40.1c3.7 2.3 10.2 6.8 12.9 14.4 2.1 6.1 2 13.1-1 19.3l-61 126.9c-6.2 12.7-21.4 18.1-33.9 12" style="fill:#fff"/><path d="M622.7 149.8c-4.1-4.1-9.6-4-9.6-4s-117.2 6.6-177.9 8c-13.3.3-26.5.6-39.6.7v117.2c-5.5-2.6-11.1-5.3-16.6-7.9 0-36.4-.1-109.2-.1-109.2-29 .4-89.2-2.2-89.2-2.2s-141.4-7.1-156.8-8.5c-9.8-.6-22.5-2.1-39 1.5-8.7 1.8-33.5 7.4-53.8 26.9C-4.9 212.4 6.6 276.2 8 285.8c1.7 11.7 6.9 44.2 31.7 72.5 45.8 56.1 144.4 54.8 144.4 54.8s12.1 28.9 30.6 55.5c25 33.1 50.7 58.9 75.7 62 63 0 188.9-.1 188.9-.1s12 .1 28.3-10.3c14-8.5 26.5-23.4 26.5-23.4S547 483 565 451.5c5.5-9.7 10.1-19.1 14.1-28 0 0 55.2-117.1 55.2-231.1-1.1-34.5-9.6-40.6-11.6-42.6M125.6 353.9c-25.9-8.5-36.9-18.7-36.9-18.7S69.6 321.8 60 295.4c-16.5-44.2-1.4-71.2-1.4-71.2s8.4-22.5 38.5-30c13.8-3.7 31-3.1 31-3.1s7.1 59.4 15.7 94.2c7.2 29.2 24.8 77.7 24.8 77.7s-26.1-3.1-43-9.1m300.3 107.6s-6.1 14.5-19.6 15.4c-5.8.4-10.3-1.2-10.3-1.2s-.3-.1-5.3-2.1l-112.9-55s-10.9-5.7-12.8-15.6c-2.2-8.1 2.7-18.1 2.7-18.1L322 273s4.8-9.7 12.2-13c.6-.3 2.3-1 4.5-1.5 8.1-2.1 18 2.8 18 2.8L467.4 315s12.6 5.7 15.3 16.2c1.9 7.4-.5 14-1.8 17.2-6.3 15.4-55 113.1-55 113.1" style="fill:#f59e0b"/><path d="M326.8 380.1c-8.2.1-15.4 5.8-17.3 13.8s2 16.3 9.1 20c7.7 4 17.5 1.8 22.7-5.4 5.1-7.1 4.3-16.9-1.8-23.1l24-49.1c1.5.1 3.7.2 6.2-.5 4.1-.9 7.1-3.6 7.1-3.6 4.2 1.8 8.6 3.8 13.2 6.1 4.8 2.4 9.3 4.9 13.4 7.3.9.5 1.8 1.1 2.8 1.9 1.6 1.3 3.4 3.1 4.7 5.5 1.9 5.5-1.9 14.9-1.9 14.9-2.3 7.6-18.4 40.6-18.4 40.6-8.1-.2-15.3 5-17.7 12.5-2.6 8.1 1.1 17.3 8.9 21.3s17.4 1.7 22.5-5.3c5-6.8 4.6-16.3-1.1-22.6 1.9-3.7 3.7-7.4 5.6-11.3 5-10.4 13.5-30.4 13.5-30.4.9-1.7 5.7-10.3 2.7-21.3-2.5-11.4-12.6-16.7-12.6-16.7-12.2-7.9-29.2-15.2-29.2-15.2s0-4.1-1.1-7.1c-1.1-3.1-2.8-5.1-3.9-6.3 4.7-9.7 9.4-19.3 14.1-29-4.1-2-8.1-4-12.2-6.1-4.8 9.8-9.7 19.7-14.5 29.5-6.7-.1-12.9 3.5-16.1 9.4-3.4 6.3-2.7 14.1 1.9 19.8z" style="fill:#f59e0b"/></svg>
diff --git a/base/devtools/gitea-values.yaml b/base/devtools/gitea-values.yaml
index 50ced7c..dc17032 100644
--- a/base/devtools/gitea-values.yaml
+++ b/base/devtools/gitea-values.yaml
@@ -19,11 +19,21 @@ gitea:
     email: gitea@local.domain
 
   config:
+    ui:
+      DEFAULT_THEME: sunbeam
+      THEMES: sunbeam
+
     server:
       DOMAIN:           src.DOMAIN_SUFFIX
       ROOT_URL:         https://src.DOMAIN_SUFFIX/
       SSH_DOMAIN:       src.DOMAIN_SUFFIX
-      LFS_START_SERVER: "true"
+      # Gitea advertises port 22 (users clone with git@src.DOMAIN_SUFFIX:org/repo.git).
+      # The pod listens on 2222; Pingora forwards external port 22 → pod port 2222.
+      SSH_PORT:              "22"
+      SSH_LISTEN_PORT:       "2222"
+      SSH_EXPOSE_ANONYMOUS:  "false"
+      LFS_START_SERVER:      "true"
+      LANDING_PAGE:     /studio
 
     database:
       DB_TYPE:  postgres
@@ -46,6 +56,12 @@ gitea:
       TYPE:     redis
       CONN_STR: redis://valkey.data.svc.cluster.local:6379/2?pool_size=100&idle_timeout=180s
 
+    oauth2_client:
+      # Auto-redirect to Hydra OIDC on login — makes OIDC the primary auth method.
+      OAUTH2_AUTO_REDIRECT_TO_PROVIDER: Sunbeam
+      # Register new OIDC users automatically.
+      ENABLE_AUTO_REGISTRATION: "true"
+
     storage:
       STORAGE_TYPE:   minio
       MINIO_ENDPOINT: seaweedfs-filer.storage.svc.cluster.local:8333
@@ -70,6 +86,33 @@ gitea:
           name: gitea-s3-credentials
           key: secret-key
 
+initPreScript: |
+  mkdir -p /data/gitea/public/assets/css
+  mkdir -p /data/gitea/public/assets/img
+
+extraVolumes:
+  - name: custom-theme
+    configMap:
+      name: gitea-custom-theme
+  - name: mkcert-ca
+    configMap:
+      name: gitea-mkcert-ca
+      optional: true   # only exists in local env; production omits it safely
+
+extraContainerVolumeMounts:
+  - name: custom-theme
+    mountPath: /data/gitea/public/assets/css/theme-sunbeam.css
+    subPath: theme-sunbeam.css
+    readOnly: true
+  - name: custom-theme
+    mountPath: /data/gitea/public/assets/img/logo.svg
+    subPath: logo.svg
+    readOnly: true
+  - name: mkcert-ca
+    mountPath: /run/ca/ca.crt
+    subPath: ca.crt
+    readOnly: true
+
 resources:
   limits:
     memory: 256Mi
@@ -77,6 +120,11 @@ resources:
     memory: 128Mi
     cpu: 100m
 
+service:
+  ssh:
+    # Pod listens on 2222 (SSH_LISTEN_PORT); Pingora proxies external port 22 → here.
+    port: 2222
+
 persistence:
   enabled: true
   size: 5Gi
diff --git a/base/devtools/kustomization.yaml b/base/devtools/kustomization.yaml
index bd786e1..c3f57ed 100644
--- a/base/devtools/kustomization.yaml
+++ b/base/devtools/kustomization.yaml
@@ -6,6 +6,7 @@ namespace: devtools
 resources:
   - namespace.yaml
   - vault-secrets.yaml
+  - gitea-theme-cm.yaml
 
 helmCharts:
   # helm repo add gitea-charts https://dl.gitea.com/charts/
diff --git a/base/media/livekit-values.yaml b/base/media/livekit-values.yaml
index 5180184..8debe65 100644
--- a/base/media/livekit-values.yaml
+++ b/base/media/livekit-values.yaml
@@ -14,11 +14,13 @@ livekit:
     use_external_ip:  true
 
   turn:
-    enabled:      true
-    domain:       meet.DOMAIN_SUFFIX
-    tls_port:     5349
-    udp_port:     3478
-    external_tls: true
+    enabled:           true
+    domain:            meet.DOMAIN_SUFFIX
+    tls_port:          5349
+    udp_port:          3478
+    external_tls:      true
+    relay_range_start: 13333
+    relay_range_end:   23333
 
   redis:
     # Valkey is protocol-compatible with Redis; LiveKit sees this as a Redis endpoint
@@ -30,6 +32,10 @@ livekit:
     devkey: secret-placeholder
 
 deployment:
+  # hostNetwork gives LiveKit direct access to the host network namespace,
+  # which is the only practical way to expose the 10k-port TURN relay range
+  # (13333-23333) without listing individual hostPorts in the pod spec.
+  hostNetwork: true
   resources:
     limits:
       memory: 128Mi
diff --git a/base/ory/kratos-selfservice-urls.yaml b/base/ory/kratos-selfservice-urls.yaml
new file mode 100644
index 0000000..d2fdd8a
--- /dev/null
+++ b/base/ory/kratos-selfservice-urls.yaml
@@ -0,0 +1,23 @@
+# Kratos selfservice UI URLs — patch over the Helm-rendered kratos-config ConfigMap.
+# DOMAIN_SUFFIX is substituted by sunbeam apply.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kratos-config
+  namespace: ory
+data:
+  selfservice.default_browser_return_url: "https://auth.DOMAIN_SUFFIX/"
+  selfservice.flows.login.ui_url: "https://auth.DOMAIN_SUFFIX/login"
+  selfservice.flows.registration.ui_url: "https://auth.DOMAIN_SUFFIX/registration"
+  selfservice.flows.recovery.ui_url: "https://auth.DOMAIN_SUFFIX/recovery"
+  selfservice.flows.settings.ui_url: "https://auth.DOMAIN_SUFFIX/settings"
+  selfservice.allowed_return_urls: |
+    - https://auth.DOMAIN_SUFFIX/
+    - https://docs.DOMAIN_SUFFIX/
+    - https://meet.DOMAIN_SUFFIX/
+    - https://drive.DOMAIN_SUFFIX/
+    - https://mail.DOMAIN_SUFFIX/
+    - https://chat.DOMAIN_SUFFIX/
+    - https://people.DOMAIN_SUFFIX/
+    - https://src.DOMAIN_SUFFIX/
+    - https://admin.DOMAIN_SUFFIX/
diff --git a/base/ory/kustomization.yaml b/base/ory/kustomization.yaml
index 0a7f243..72928ad 100644
--- a/base/ory/kustomization.yaml
+++ b/base/ory/kustomization.yaml
@@ -15,8 +15,11 @@ resources:
   - hydra-oauth2client-crd.yaml
   - vault-secrets.yaml
 
-# The hydra-maester sub-chart does not set .Release.Namespace in its Deployment template.
 patches:
+  # Set Kratos selfservice UI URLs (DOMAIN_SUFFIX substituted at apply time).
+  - path: kratos-selfservice-urls.yaml
+
+  # The hydra-maester sub-chart does not set .Release.Namespace in its Deployment template.
   - patch: |
       - op: add
         path: /metadata/namespace
diff --git a/base/storage/kustomization.yaml b/base/storage/kustomization.yaml
index fa97b3c..7442318 100644
--- a/base/storage/kustomization.yaml
+++ b/base/storage/kustomization.yaml
@@ -9,4 +9,5 @@ resources:
   - seaweedfs-master.yaml
   - seaweedfs-volume.yaml
   - seaweedfs-filer.yaml
+  - seaweedfs-filer-pvc.yaml
   - vault-secrets.yaml
diff --git a/base/storage/seaweedfs-filer-pvc.yaml b/base/storage/seaweedfs-filer-pvc.yaml
new file mode 100644
index 0000000..933238a
--- /dev/null
+++ b/base/storage/seaweedfs-filer-pvc.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: seaweedfs-filer-data
+  namespace: storage
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 5Gi
diff --git a/base/storage/seaweedfs-filer.yaml b/base/storage/seaweedfs-filer.yaml
index 51f515e..01b923d 100644
--- a/base/storage/seaweedfs-filer.yaml
+++ b/base/storage/seaweedfs-filer.yaml
@@ -13,6 +13,13 @@ spec:
       labels:
         app: seaweedfs-filer
     spec:
+      initContainers:
+        - name: fix-permissions
+          image: busybox
+          command: ["sh", "-c", "chmod 777 /data/filer"]
+          volumeMounts:
+            - name: filer-data
+              mountPath: /data/filer
       containers:
         - name: filer
           image: chrislusf/seaweedfs:latest
@@ -61,7 +68,8 @@ spec:
           secret:
             secretName: seaweedfs-s3-json
         - name: filer-data
-          emptyDir: {}
+          persistentVolumeClaim:
+            claimName: seaweedfs-filer-data
 ---
 apiVersion: v1
 kind: Service
diff --git a/base/vso/kustomization.yaml b/base/vso/kustomization.yaml
index 29dd0c5..99ee68d 100644
--- a/base/vso/kustomization.yaml
+++ b/base/vso/kustomization.yaml
@@ -5,7 +5,6 @@ namespace: vault-secrets-operator
 
 resources:
   - namespace.yaml
-  - test-rbac.yaml
 
 helmCharts:
   # helm repo add hashicorp https://helm.releases.hashicorp.com
diff --git a/justfile b/justfile
index 9f8a65a..7d2288e 100644
--- a/justfile
+++ b/justfile
@@ -8,10 +8,6 @@ install:
 test:
     PYTHONPATH=../cli python3 -m unittest discover -s ../cli/sunbeam/tests -p 'test_*.py' -v
 
-# Run any sunbeam CLI verb (e.g.: just sunbeam status ory)
-sunbeam *args:
-    PYTHONPATH=../cli python3 -m sunbeam {{args}}
-
 # Start Lima VM and deploy full stack
 up:
     bash scripts/local-up.sh