feat(ci): deploy to k3s straight from the pipeline (drop Flux plan)

Push to main = release: after build, a deploy job pins each app image to the
commit SHA (kustomize edit set image), kubectl-applies fleet/apps and waits
for the rollouts. The runner already runs in-cluster, so it reaches the API
server on the in-cluster service IP with a kubeconfig for the new ci-deployer
ServiceAccount (namespace-scoped admin, KUBECONFIG_B64 repo secret).

The drafted Flux sync/image-automation layer is removed — a GitOps controller
plus bot tag-bump commits is more machinery than a single-node cluster needs.
Sortable image tags and $imagepolicy markers go with it.

Also: per-router ACME-safe HTTP->HTTPS redirects for the app ingresses,
platform-api prod config completed (Authentik JWT/JWKS + admin API, Stalwart
via the cni0 gateway IP, OCIS/cold-storage placeholders until those tiers
exist) and the secrets template/README updated to match.

infrastructure/production/fleet/apps/booking.yaml

@@ -20,6 +20,8 @@ spec:
     spec:
       containers:
         - name: booking
+          # CI pins this to the commit SHA at deploy time (kustomize edit set image
+          # in .gitea/workflows/ci.yml); :latest here is the fallback.
           image: git.lastcloud.io/ronnibaslund/dezky/booking:latest
           imagePullPolicy: IfNotPresent
           ports:
@@ -78,7 +80,10 @@ metadata:
   namespace: dezky-apps
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    # Serve on :80 too so the cert-manager ACME HTTP-01 solver can answer on
+    # port 80; the redirect-https middleware bounces all other traffic to HTTPS.
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    traefik.ingress.kubernetes.io/router.middlewares: dezky-apps-redirect-https@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:

infrastructure/production/fleet/apps/kustomization.yaml

@@ -6,7 +6,9 @@ kind: Kustomization
 namespace: dezky-apps
 resources:
   - namespace.yaml
+  - redirect-middleware.yaml
   - platform-api-config.yaml
   - platform-api.yaml
   - portal.yaml
   - booking.yaml
+  - operator.yaml

infrastructure/production/fleet/apps/platform-api-config.yaml

@@ -9,9 +9,33 @@ metadata:
   labels:
     app.kubernetes.io/name: platform-api
 data:
-  # Stalwart runs on the HOST (not k3s). Reach it on the node-internal IP at the
-  # JMAP management port; the firewall lets the pod CIDR through. Override the
-  # placeholder IP to match the host's actual internal address.
-  STALWART_API_URL: "http://10.0.0.1:8080"
+  # Stalwart runs on the HOST (not k3s). Pods reach it via the cni0 gateway IP
+  # on the JMAP management port; the firewall lets the pod CIDR through.
+  STALWART_API_URL: "http://10.42.0.1:8080"
   STALWART_ADMIN_USER: "admin"
   STALWART_PROVISIONING_ENABLED: "true"
+  # JWT validation for portal/operator-issued access tokens. Public Authentik
+  # URLs on purpose: the token `iss` claim is the public URL, and the pod can
+  # hairpin to it through the node's public IP.
+  AUTHENTIK_ISSUER: "https://auth.dezky.eu/application/o/dezky-portal/,https://auth.dezky.eu/application/o/dezky-operator/"
+  AUTHENTIK_AUDIENCE: "dezky-portal,dezky-operator"
+  AUTHENTIK_JWKS_URI: "https://auth.dezky.eu/application/o/dezky-portal/jwks/"
+  AUTHENTIK_API_URL: "https://auth.dezky.eu/api/v3"
+  # OCIS is not deployed in production yet. The client is instantiated at boot
+  # (so the URL must exist) but only fails when a files feature is actually
+  # used. Swap to the real URL when the files tier lands.
+  OCIS_API_URL: "https://files.dezky.eu"
+  OCIS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
+  OCIS_OIDC_CLIENT_ID: "ocis-web"
+  OCIS_SVC_USERNAME: "svc-platform-api"
+  # Audit cold storage (Hetzner Object Storage) is not provisioned yet —
+  # archive stays off; the S3 client boots against the placeholder endpoint.
+  AUDIT_COLD_ENDPOINT: "https://fsn1.your-objectstorage.com"
+  AUDIT_COLD_REGION: "fsn1"
+  AUDIT_COLD_BUCKET: "dezky-audit"
+  AUDIT_HOT_RETENTION_DAYS: "90"
+  ARCHIVE_ENABLED: "false"
+  # Stripe billing dark-launched off in prod until live keys are wired.
+  BILLING_STRIPE_ENABLED: "false"
+  BOOKING_PUBLIC_URL: "https://booking.dezky.eu"
+  MEET_PUBLIC_URL: "https://meet.dezky.eu"

infrastructure/production/fleet/apps/platform-api.yaml

@@ -21,7 +21,8 @@ spec:
     spec:
       containers:
         - name: platform-api
-          # Pinned by CI to the commit SHA on release; :latest is dev-only.
+          # CI pins this to the commit SHA at deploy time (kustomize edit set image
+          # in .gitea/workflows/ci.yml); :latest here is the fallback.
           image: git.lastcloud.io/ronnibaslund/dezky/platform-api:latest
           imagePullPolicy: IfNotPresent
           ports:

infrastructure/production/fleet/apps/portal.yaml

@@ -21,6 +21,8 @@ spec:
     spec:
       containers:
         - name: portal
+          # CI pins this to the commit SHA at deploy time (kustomize edit set image
+          # in .gitea/workflows/ci.yml); :latest here is the fallback.
           image: git.lastcloud.io/ronnibaslund/dezky/portal:latest
           imagePullPolicy: IfNotPresent
           ports:
@@ -33,6 +35,8 @@ spec:
               value: "3000"
             - name: NUXT_PUBLIC_PORTAL_URL
               value: https://app.dezky.eu
+            - name: NUXT_PUBLIC_BOOKING_URL
+              value: https://booking.dezky.eu
             # Cluster-internal address of platform-api for the nitro proxy.
             - name: PLATFORM_API_INTERNAL_URL
               value: http://platform-api.dezky-apps.svc.cluster.local:3001
@@ -81,7 +85,10 @@ metadata:
   namespace: dezky-apps
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    # Serve on :80 too so the cert-manager ACME HTTP-01 solver can answer on
+    # port 80; the redirect-https middleware bounces all other traffic to HTTPS.
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    traefik.ingress.kubernetes.io/router.middlewares: dezky-apps-redirect-https@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:

infrastructure/production/fleet/apps/redirect-middleware.yaml

@@ -0,0 +1,19 @@
+# HTTP→HTTPS redirect for the dezky-apps ingresses (portal, booking).
+#
+# Replaces the former global Traefik entrypoint redirect, which broke ACME
+# HTTP-01 (see traefik/helmchartconfig.yaml). This Middleware is attached only
+# to the app routers via the
+# `traefik.ingress.kubernetes.io/router.middlewares` annotation, so the
+# cert-manager solver's own router (no middleware, more specific path) can still
+# answer the challenge on :80.
+#
+# Referenced from an Ingress as: dezky-apps-redirect-https@kubernetescrd
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: dezky-apps
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true

infrastructure/production/fleet/apps/secrets.example.yaml

@@ -23,6 +23,19 @@ stringData:
   STALWART_ADMIN_PASSWORD: "REPLACE_WITH_SAME_AS_HOST"
   # MUST equal the host's STALWART_WEBHOOK_SECRET (audit webhook HMAC).
   STALWART_WEBHOOK_SECRET: "REPLACE_WITH_SAME_AS_HOST"
+  # Authentik admin API token (tenant/user provisioning). The Helm bootstrap
+  # token works: dezky-auth/authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN.
+  AUTHENTIK_API_TOKEN: "REPLACE_WITH_authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN"
+  # Tamper-evidence signing key for the audit hash chain. Rotating it closes
+  # the current segment — back it up alongside SCHEDULING_CREDENTIAL_KEY.
+  AUDIT_SIGNING_KEY: "REPLACE_WITH_openssl_rand_hex_32"
+  # Hetzner Object Storage IAM pair for audit cold storage. Not provisioned
+  # yet — keep the placeholders until the bucket exists (ARCHIVE_ENABLED is
+  # false in platform-api-config.yaml; the client only fails when used).
+  AUDIT_COLD_ACCESS_KEY: "not-configured"
+  AUDIT_COLD_SECRET_KEY: "not-configured"
+  # OCIS service-user password (files tier — not deployed in prod yet).
+  OCIS_SVC_PASSWORD: "not-configured"
 ---
 apiVersion: v1
 kind: Secret
@@ -34,7 +47,7 @@ stringData:
   # Authentik OIDC client provisioned for the portal.
   NUXT_OIDC_CLIENT_ID: "REPLACE"
   NUXT_OIDC_CLIENT_SECRET: "REPLACE"
-  NUXT_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/callback"
+  NUXT_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
   # Public base URL of Authentik (used for login redirects + full sign-out).
   NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
   # nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
@@ -50,3 +63,20 @@ stringData:
   # Cloudflare Turnstile site key for the public booking form (public value,
   # env-injected so it can rotate without a rebuild).
   NUXT_PUBLIC_TURNSTILE_SITE_KEY: "REPLACE"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: operator-secrets
+  namespace: dezky-apps
+type: Opaque
+stringData:
+  # Authentik OIDC client provisioned for the operator (dezky-operator).
+  # NUXT_OIDC_CLIENT_SECRET MUST equal authentik-secret.OPERATOR_OIDC_CLIENT_SECRET.
+  NUXT_OIDC_CLIENT_ID: "dezky-operator"
+  NUXT_OIDC_CLIENT_SECRET: "REPLACE_WITH_authentik-secret.OPERATOR_OIDC_CLIENT_SECRET"
+  NUXT_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
+  # Public base URL of Authentik (used for login redirects + full sign-out).
+  NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
+  # nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
+  NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"