feat(infra): data, storage, devtools, and ory layer updates

- data: CNPG cluster tuning, OpenBao values, OpenSearch deployment fixes,
  OpenSearch PVC, barman vault secret for S3 backup credentials
- storage: SeaweedFS filer updates (s3.json via secret subPath), PVC for
  filer persistent storage
- devtools: Gitea values (SSH service, custom theme), gitea-theme-cm ConfigMap
- ory: add kratos-selfservice-urls.yaml for self-service flow URLs
- media: LiveKit values updated (TURN config, STUN, resource limits)
- vso: kustomization cleanup

base/media/livekit-values.yaml

@@ -14,11 +14,13 @@ livekit:
     use_external_ip:  true
 
   turn:
-    enabled:      true
-    domain:       meet.DOMAIN_SUFFIX
-    tls_port:     5349
-    udp_port:     3478
-    external_tls: true
+    enabled:           true
+    domain:            meet.DOMAIN_SUFFIX
+    tls_port:          5349
+    udp_port:          3478
+    external_tls:      true
+    relay_range_start: 13333
+    relay_range_end:   23333
 
   redis:
     # Valkey is protocol-compatible with Redis; LiveKit sees this as a Redis endpoint
@@ -30,6 +32,10 @@ livekit:
     devkey: secret-placeholder
 
 deployment:
+  # hostNetwork gives LiveKit direct access to the host network namespace,
+  # which is the only practical way to expose the 10k-port TURN relay range
+  # (13333-23333) without listing individual hostPorts in the pod spec.
+  hostNetwork: true
   resources:
     limits:
       memory: 128Mi