stem95su: scheduled Drive->site sync CronJob (every 10m)

CronJob stem95su-gdrive-sync (*/10) mounts the content PVC RW and
rclone-syncs the read-only Drive folder "claude" (stem claude/files) onto
it (rclone/rclone:1.74.3, scope=drive.readonly, empty-source guard +
--max-delete 25). ESO ExternalSecret stem95su-rclone <- Vault
secret/stem95su. Requires the GCP OAuth app published to Production or the
refresh token expires ~weekly.

Lands the gdrive-sync stack on master (it had landed on a feature branch
by accident on the shared devvm checkout).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/monitoring/modules/monitoring/loki_ingress.tf

@@ -1,23 +0,0 @@
-# Loki write/push endpoint for EXTERNAL hosts (currently rpi-sofia's promtail).
-#
-# Loki runs SingleBinary with the gateway disabled and auth_enabled=false, so it
-# is ClusterIP-only (svc "loki":3100) and unreachable from off-cluster. An
-# external log shipper like the Sofia Raspberry Pi cannot POST to
-# /loki/api/v1/push without this ingress.
-#
-# auth = "none": promtail ships logs programmatically (no browser, no Authentik
-# SSO cookie dance). The allow_local_access_only middleware (192.168.0.0/16 +
-# 10.0.0.0/8) gates the endpoint to LAN/VPN only — the correct model for a
-# LAN-only Pi, mirroring the idrac-redfish-exporter ingress in this module.
-module "loki-write-ingress" {
-  source = "../../../../modules/kubernetes/ingress_factory"
-  # auth = "none": rpi-sofia's promtail pushes logs programmatically (no browser, no Authentik SSO cookie); gated to LAN/VPN by allow_local_access_only below.
-  auth                    = "none"
-  namespace               = kubernetes_namespace.monitoring.metadata[0].name
-  name                    = "loki"
-  root_domain             = "viktorbarzin.lan"
-  tls_secret_name         = var.tls_secret_name
-  allow_local_access_only = true
-  ssl_redirect            = false
-  port                    = 3100
-}