feat(ci): deploy to k3s straight from the pipeline (drop Flux plan)

Push to main = release: after build, a deploy job pins each app image to the
commit SHA (kustomize edit set image), kubectl-applies fleet/apps and waits
for the rollouts. The runner already runs in-cluster, so it reaches the API
server on the in-cluster service IP with a kubeconfig for the new ci-deployer
ServiceAccount (namespace-scoped admin, KUBECONFIG_B64 repo secret).

The drafted Flux sync/image-automation layer is removed — a GitOps controller
plus bot tag-bump commits is more machinery than a single-node cluster needs.
Sortable image tags and $imagepolicy markers go with it.

Also: per-router ACME-safe HTTP->HTTPS redirects for the app ingresses,
platform-api prod config completed (Authentik JWT/JWKS + admin API, Stalwart
via the cni0 gateway IP, OCIS/cold-storage placeholders until those tiers
exist) and the secrets template/README updated to match.

infrastructure/production/fleet/traefik/helmchartconfig.yaml

@@ -1,14 +1,19 @@
-# Customise the k3s-bundled Traefik: redirect ALL HTTP (:80) → HTTPS (:443)
-# globally, for every Ingress on the cluster.
+# Customise the k3s-bundled Traefik.
 #
 # k3s manages Traefik via a HelmChart named 'traefik' in kube-system; a
 # HelmChartConfig of the same name MERGES these values into it (k3s re-runs the
-# install). We inject the redirect as Traefik static-config args
-# (additionalArguments) — version-independent, unlike the chart's
-# ports.web.redirectTo value which didn't render on this chart version.
+# install).
 #
-# HTTP-01 ACME is unaffected: Let's Encrypt follows the 308 to HTTPS, so
-# cert-manager challenges still validate.
+# HTTP→HTTPS redirect is deliberately NOT done here at the entrypoint level.
+# A global `entrypoints.web.http.redirections` is a catch-all that runs BEFORE
+# any router, so it 301s the ACME HTTP-01 challenge (:80 /.well-known/
+# acme-challenge/...) to HTTPS before cert-manager's solver can answer — and the
+# solver isn't served on the websecure-only app ingresses, so the challenge
+# 404s and Let's Encrypt issuance fails. Instead each app Ingress carries a
+# `redirectScheme` Middleware (see apps/redirect-middleware.yaml +
+# authentik/redirect-middleware.yaml): real traffic still gets 301'd to HTTPS,
+# but port 80 stays open so the cert-manager solver (a separate, more-specific
+# router with no middleware) can complete the challenge.
 apiVersion: helm.cattle.io/v1
 kind: HelmChartConfig
 metadata:
@@ -16,9 +21,4 @@ metadata:
   namespace: kube-system
 spec:
   valuesContent: |-
-    additionalArguments:
-      # to=:443 (NOT 'websecure') — the websecure entrypoint listens on :8443
-      # internally, which isn't exposed; redirect to the public 443 instead.
-      - "--entrypoints.web.http.redirections.entrypoint.to=:443"
-      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
-      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
+    additionalArguments: []