feat(infra): k3s foundation — cert-manager, Longhorn config, in-cluster data tier

Adds the production cluster foundation (authored + applied live on node1):
- cert-manager via the k3s HelmChart controller + letsencrypt staging/prod
  ClusterIssuers (HTTP-01 / Traefik).
- Longhorn config for single-node (values: replica=1, default StorageClass,
  Retain) + backup-to-Hetzner-Object-Storage credential template.
- In-cluster data tier (dezky-data): Postgres 16 (with Authentik+OCIS DB init),
  MongoDB 7, Redis 7 as StatefulSets on Longhorn, + secret template.
- bootstrap.sh: install open-iscsi/nfs-common + enable iscsid (Longhorn prereq).
- RUNBOOK.md: full reproducible node1 build order.

Real secrets are generated on-box and kept in Bitwarden — never in git.

infrastructure/production/fleet/data/postgres-init.yaml

@@ -0,0 +1,20 @@
+# Runs once, on first Postgres init (empty data dir), via the official image's
+# /docker-entrypoint-initdb.d hook. Creates the per-service databases + roles
+# Authentik and OCIS need. Passwords come from the postgres-secret env (see
+# secrets.example.yaml) — never hard-code them here.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-init
+  namespace: dezky-data
+data:
+  10-extra-databases.sh: |
+    #!/bin/bash
+    set -euo pipefail
+    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+      CREATE ROLE authentik LOGIN PASSWORD '${AUTHENTIK_DB_PASSWORD}';
+      CREATE DATABASE authentik OWNER authentik;
+
+      CREATE ROLE ocis LOGIN PASSWORD '${OCIS_DB_PASSWORD}';
+      CREATE DATABASE ocis OWNER ocis;
+    EOSQL