crowdsec: register kvsync + firewall bouncer keys in LAPI

Seeds two new bouncers at LAPI startup (BOUNCER_KEY_kvsync, BOUNCER_KEY_firewall)
from Vault secret/platform, mirroring the existing BOUNCER_KEY_traefik wiring.
These are the two halves of the real enforcement that replaces the dead Yaegi
plugin: kvsync authenticates the LAPI->Cloudflare-KV sync (proxied edge Worker),
firewall authenticates the cs-firewall-bouncer DaemonSet (direct-host nftables).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/crowdsec/main.tf

@@ -32,4 +32,8 @@ module "crowdsec" {
   # Same key the traefik-stack bouncer middleware uses — seeded into LAPI so the
   # bouncer authenticates and pulls decisions (was unregistered → 403 → fail-open).
   ingress_bouncer_key = data.vault_kv_secret_v2.secrets.data["ingress_crowdsec_api_key"]
+  # Real enforcement replacing the dead Traefik plugin: kvsync feeds the proxied
+  # edge Worker via Cloudflare KV; firewall is the direct-host nftables bouncer.
+  kvsync_bouncer_key   = data.vault_kv_secret_v2.secrets.data["kvsync_bouncer_key"]
+  firewall_bouncer_key = data.vault_kv_secret_v2.secrets.data["firewall_bouncer_key"]
 }