feat: add DOKS, managed postgres/redis, WAF rules, external-dns

terraform/postgres.tf

@@ -0,0 +1,23 @@
+# ─── Managed PostgreSQL cluster ───────────────────────────────────────────────
+# Shared across all customers — each customer gets their own database.
+
+resource "digitalocean_database_cluster" "postgres" {
+  name       = "lunarfront-postgres"
+  engine     = "pg"
+  version    = "16"
+  size       = var.postgres_size
+  region     = var.region
+  node_count = 1
+
+  tags = ["lunarfront", "postgres"]
+}
+
+# Restrict access to the DOKS cluster only
+resource "digitalocean_database_firewall" "postgres" {
+  cluster_id = digitalocean_database_cluster.postgres.id
+
+  rule {
+    type  = "k8s"
+    value = digitalocean_kubernetes_cluster.main.id
+  }
+}