feat: add DOKS, managed postgres/redis, WAF rules, external-dns

terraform/doks.tf

@@ -0,0 +1,30 @@
+# ─── DOKS Cluster ─────────────────────────────────────────────────────────────
+
+resource "digitalocean_kubernetes_cluster" "main" {
+  name    = "lunarfront"
+  region  = var.region
+  version = var.k8s_version
+
+  node_pool {
+    name       = "workers"
+    size       = var.k8s_node_size
+    min_nodes  = var.k8s_min_nodes
+    max_nodes  = var.k8s_max_nodes
+    auto_scale = true
+  }
+
+  tags = ["lunarfront", "k8s"]
+}
+
+# ─── DNS — wildcard for customer subdomains → cluster load balancer ───────────
+# Uncomment after the cluster is up and nginx ingress load balancer IP is known.
+# Set cluster_lb_ip in terraform.tfvars then re-run terraform apply.
+
+resource "cloudflare_record" "apps_wildcard" {
+  zone_id = data.cloudflare_zone.main.id
+  name    = "*"
+  type    = "A"
+  content = var.cluster_lb_ip
+  proxied = true
+  ttl     = 1
+}