Add K3s dev deployment setup for single-node VPS

Mirrors the prod deploy-k3s/ setup but runs all services in-cluster
on a single node: PostgreSQL (replaces Neon), MinIO S3-compatible
storage (replaces B2), Redis, API, worker, and admin.

Includes fully automated setup scripts (00-init through 04-verify),
server hardening (SSH, fail2ban, ufw), Let's Encrypt TLS via Traefik,
network policies, RBAC, and security contexts matching prod.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy-k3s/manifests/secrets.yaml.example

@@ -0,0 +1,47 @@
+# EXAMPLE ONLY — never commit real values.
+# Secrets are created by scripts/02-setup-secrets.sh.
+# This file shows the expected structure for reference.
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: honeydue-secrets
+  namespace: honeydue
+type: Opaque
+stringData:
+  POSTGRES_PASSWORD: "CHANGEME"
+  SECRET_KEY: "CHANGEME_MIN_32_CHARS"
+  EMAIL_HOST_PASSWORD: "CHANGEME"
+  FCM_SERVER_KEY: "CHANGEME"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: honeydue-apns-key
+  namespace: honeydue
+type: Opaque
+data:
+  apns_auth_key.p8: ""  # base64-encoded .p8 file contents
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ghcr-credentials
+  namespace: honeydue
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: ""  # base64-encoded Docker config
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-origin-cert
+  namespace: honeydue
+type: kubernetes.io/tls
+data:
+  tls.crt: ""  # base64-encoded origin certificate
+  tls.key: ""  # base64-encoded origin private key