feat(infra): real TLS for mail.dezky.eu

The cert-sync timer waited forever for a mail/mail-tls secret no
Certificate resource ever requested — Stalwart served self-signed certs
since install, so mail clients refused the IMAP handshake ('cannot verify
account name or password' in Apple Mail). Adds the cert-manager
Certificate (HTTP-01 via Traefik on :80) and documents the v0.16 wrinkle:
TLS files aren't read from config anymore; a one-time file-backed
x:Certificate object (created via management JMAP) points at the synced
paths, after which cert-sync renewals keep working unchanged. Verified:
:993 now serves the Let's Encrypt cert, verify rc=0.

infrastructure/production/fleet/cert-manager/mail-certificate.yaml

@@ -0,0 +1,29 @@
+# TLS for mail.dezky.eu — issued in-cluster by cert-manager, consumed on the
+# HOST by Stalwart: stalwart-cert-sync.timer (host/stalwart/cert-sync.sh)
+# copies the mail/mail-tls secret to /opt/stalwart/etc/tls every 12h and
+# reloads Stalwart when it changes. Until this Certificate is Ready, Stalwart
+# serves the self-signed bootstrap cert and mail clients refuse the TLS
+# handshake ("cannot verify account name or password" in Apple Mail).
+#
+# HTTP-01 works because Traefik owns :80 on the node and cert-manager's
+# solver ingress answers /.well-known/acme-challenge for any Host.
+#
+# Apply by hand with the rest of the cert-manager layer (see RUNBOOK):
+#   kubectl apply -f mail-certificate.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mail
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mail-dezky-eu
+  namespace: mail
+spec:
+  secretName: mail-tls
+  dnsNames:
+    - mail.dezky.eu
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer