Add K3s dev deployment setup for single-node VPS

Mirrors the prod deploy-k3s/ setup but runs all services in-cluster
on a single node: PostgreSQL (replaces Neon), MinIO S3-compatible
storage (replaces B2), Redis, API, worker, and admin.

Includes fully automated setup scripts (00-init through 04-verify),
server hardening (SSH, fail2ban, ufw), Let's Encrypt TLS via Traefik,
network policies, RBAC, and security contexts matching prod.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy-k3s/config.yaml.example

@@ -0,0 +1,118 @@
+# config.yaml — single source of truth for honeyDue K3s deployment
+# Copy to config.yaml, fill in all empty values, then run scripts in order.
+# This file is gitignored — never commit it with real values.
+
+# --- Hetzner Cloud ---
+cluster:
+  hcloud_token: ""                          # Hetzner API token (Read/Write)
+  ssh_public_key: ~/.ssh/id_ed25519.pub
+  ssh_private_key: ~/.ssh/id_ed25519
+  k3s_version: v1.31.4+k3s1
+  location: fsn1                            # Hetzner datacenter
+  instance_type: cx33                       # 4 vCPU, 16GB RAM
+
+# Filled by 01-provision-cluster.sh, or manually after creating servers
+nodes:
+  - name: honeydue-master1
+    ip: ""
+    roles: [master, redis]                  # 'redis' = pin Redis PVC here
+  - name: honeydue-master2
+    ip: ""
+    roles: [master]
+  - name: honeydue-master3
+    ip: ""
+    roles: [master]
+
+# Hetzner Load Balancer IP (created in console after provisioning)
+load_balancer_ip: ""
+
+# --- Domains ---
+domains:
+  api: api.myhoneydue.com
+  admin: admin.myhoneydue.com
+  base: myhoneydue.com
+
+# --- Container Registry (GHCR) ---
+registry:
+  server: ghcr.io
+  namespace: ""                             # GitHub username or org
+  username: ""                              # GitHub username
+  token: ""                                 # PAT with read:packages, write:packages
+
+# --- Database (Neon PostgreSQL) ---
+database:
+  host: ""                                  # e.g. ep-xxx.us-east-2.aws.neon.tech
+  port: 5432
+  user: ""
+  name: honeydue
+  sslmode: require
+  max_open_conns: 25
+  max_idle_conns: 10
+  max_lifetime: "600s"
+
+# --- Email (Fastmail) ---
+email:
+  host: smtp.fastmail.com
+  port: 587
+  user: ""                                  # Fastmail email address
+  from: "honeyDue <noreply@myhoneydue.com>"
+  use_tls: true
+
+# --- Push Notifications ---
+push:
+  apns_key_id: ""
+  apns_team_id: ""
+  apns_topic: com.tt.honeyDue
+  apns_production: true
+  apns_use_sandbox: false
+
+# --- B2 Object Storage ---
+storage:
+  b2_key_id: ""
+  b2_app_key: ""
+  b2_bucket: ""
+  b2_endpoint: ""                           # e.g. s3.us-west-004.backblazeb2.com
+  max_file_size: 10485760
+  allowed_types: "image/jpeg,image/png,image/gif,image/webp,application/pdf"
+
+# --- Worker Schedules (UTC hours) ---
+worker:
+  task_reminder_hour: 14
+  overdue_reminder_hour: 15
+  daily_digest_hour: 3
+
+# --- Feature Flags ---
+features:
+  push_enabled: true
+  email_enabled: true
+  webhooks_enabled: true
+  onboarding_emails_enabled: true
+  pdf_reports_enabled: true
+  worker_enabled: true
+
+# --- Redis ---
+redis:
+  password: ""                              # Set a strong password; leave empty for no auth (NOT recommended for production)
+
+# --- Admin Panel ---
+admin:
+  basic_auth_user: ""                       # HTTP basic auth username for admin panel
+  basic_auth_password: ""                   # HTTP basic auth password for admin panel
+
+# --- Apple Auth / IAP (optional, leave empty if unused) ---
+apple_auth:
+  client_id: ""
+  team_id: ""
+  iap_key_id: ""
+  iap_issuer_id: ""
+  iap_bundle_id: ""
+  iap_key_path: ""
+  iap_sandbox: false
+
+# --- Google Auth / IAP (optional, leave empty if unused) ---
+google_auth:
+  client_id: ""
+  android_client_id: ""
+  ios_client_id: ""
+  iap_package_name: ""
+  iap_service_account_path: ""