Initial monorepo scaffold

Turborepo + pnpm monorepo for k3s homelab cluster on Intel NUCs.

- Apps: Next.js web frontend, Express API (TypeScript, Dockerfiles, k8s manifests)
- Packages: shared UI, ESLint config, TypeScript config, Drizzle DB schemas
- Infra/Ansible: bare-metal provisioning with roles for common, k3s-server, k3s-agent, hardening
- Infra/Kubernetes: ArgoCD GitOps (app-of-apps + ApplicationSets), platform components
  (cert-manager, Traefik, CloudNativePG, Valkey, Longhorn, Sealed Secrets), namespaces
- Observability: kube-prometheus-stack, Loki, Promtail as ArgoCD Applications
- CI/CD: GitHub Actions for PR builds, preview deploys, production deploys
- DX: Taskfile, utility scripts, copier templates, Ubiquiti network docs

scripts/seal-secret.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if ! command -v kubeseal &>/dev/null; then
+  echo "Error: kubeseal is not installed"
+  echo "Install: brew install kubeseal"
+  exit 1
+fi
+
+if [[ $# -lt 3 ]]; then
+  echo "Usage: $0 <secret-name> <namespace> <key=value> [key=value...]"
+  echo ""
+  echo "Example:"
+  echo "  $0 api-secrets apps database-url=postgres://... valkey-url=redis://..."
+  exit 1
+fi
+
+SECRET_NAME="$1"
+NAMESPACE="$2"
+shift 2
+
+LITERAL_ARGS=()
+for pair in "$@"; do
+  LITERAL_ARGS+=("--from-literal=$pair")
+done
+
+echo "Sealing secret '$SECRET_NAME' in namespace '$NAMESPACE'..."
+
+kubectl create secret generic "$SECRET_NAME" \
+  --namespace "$NAMESPACE" \
+  --dry-run=client \
+  -o yaml \
+  "${LITERAL_ARGS[@]}" \
+  | kubeseal \
+    --format yaml \
+    --controller-namespace kube-system \
+    --controller-name sealed-secrets \
+  > "${SECRET_NAME}-sealed.yaml"
+
+echo "Sealed secret written to ${SECRET_NAME}-sealed.yaml"
+echo "Move this file to the appropriate k8s directory and commit it."