feat(ci): deploy to k3s straight from the pipeline (drop Flux plan)

Push to main = release: after build, a deploy job pins each app image to the
commit SHA (kustomize edit set image), kubectl-applies fleet/apps and waits
for the rollouts. The runner already runs in-cluster, so it reaches the API
server on the in-cluster service IP with a kubeconfig for the new ci-deployer
ServiceAccount (namespace-scoped admin, KUBECONFIG_B64 repo secret).

The drafted Flux sync/image-automation layer is removed — a GitOps controller
plus bot tag-bump commits is more machinery than a single-node cluster needs.
Sortable image tags and $imagepolicy markers go with it.

Also: per-router ACME-safe HTTP->HTTPS redirects for the app ingresses,
platform-api prod config completed (Authentik JWT/JWKS + admin API, Stalwart
via the cni0 gateway IP, OCIS/cold-storage placeholders until those tiers
exist) and the secrets template/README updated to match.

infrastructure/production/fleet/ci/ci-deployer.yaml

@@ -0,0 +1,90 @@
+# ServiceAccount the CI deploy job uses to roll out the app tier.
+#
+# The Gitea Actions runner lives in this cluster (see gitea-runner.yaml), so
+# the deploy job in .gitea/workflows/ci.yml talks straight to the API server
+# on the in-cluster service IP (https://10.43.0.1) with a kubeconfig built
+# from this ServiceAccount's token. Scope: admin within dezky-apps only, plus
+# the Traefik Middleware CRD ('admin' doesn't aggregate CRDs) and read/patch
+# on the dezky-apps Namespace object itself (kustomization includes it).
+#
+# Mint the kubeconfig + store it as the KUBECONFIG_B64 Gitea repo secret —
+# one-time, documented in ../README.md.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ci-deployer
+  namespace: dezky-apps
+---
+# Long-lived token (k8s no longer auto-creates these for ServiceAccounts).
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ci-deployer-token
+  namespace: dezky-apps
+  annotations:
+    kubernetes.io/service-account.name: ci-deployer
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ci-deployer-admin
+  namespace: dezky-apps
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: ci-deployer
+    namespace: dezky-apps
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ci-deployer-traefik
+  namespace: dezky-apps
+rules:
+  - apiGroups: ["traefik.io"]
+    resources: ["middlewares"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ci-deployer-traefik
+  namespace: dezky-apps
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ci-deployer-traefik
+subjects:
+  - kind: ServiceAccount
+    name: ci-deployer
+    namespace: dezky-apps
+---
+# kubectl apply -k includes namespace.yaml; name-scoped so this SA can only
+# touch the dezky-apps Namespace (create is intentionally absent — if the
+# namespace is ever gone, bootstrap it by hand per the RUNBOOK).
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ci-deployer-namespace
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    resourceNames: ["dezky-apps"]
+    verbs: ["get", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ci-deployer-namespace
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ci-deployer-namespace
+subjects:
+  - kind: ServiceAccount
+    name: ci-deployer
+    namespace: dezky-apps