feat: SOPS + age encrypted secrets structure

- .sops.yaml with 3 age keys (admin, dev, prod)
- infra/gitea/values/*.enc.yaml — per-env encrypted Helm values
- infra/kargo/values/*.enc.yaml — per-env encrypted Kargo admin secrets
- kargo/credentials/*.enc.yaml — per-env encrypted git credentials (ksops)
- infra/kargo-credentials/ — ArgoCD app for deploying Kargo creds via ksops
- All repoURLs point to deploy-app-kargo-private

Structure from deploy-app-kargo (reference), adapted for SOPS workflow

infra/traefik-routes/manifests/gitea-ingress.yaml

@@ -0,0 +1,41 @@
+# Gitea HTTPS IngressRoute via Traefik
+# Uses default TLS store (wildcard-tls from kube-system via TLSStore)
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-https
+  namespace: gitea
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: HostRegexp(`gitea.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: sslheader
+          namespace: kube-system
+        - name: gitea-buffer-timeout
+          namespace: gitea
+      services:
+        - name: gitea-http
+          port: 3000
+  tls: {}
+---
+# HTTP → HTTPS redirect for Gitea
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-http-redirect
+  namespace: gitea
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: HostRegexp(`gitea.k3s\..+\.local`)
+      kind: Rule
+      middlewares:
+        - name: redirect-https
+          namespace: kube-system
+      services:
+        - name: gitea-http
+          port: 3000