[ci skip] k8s portal: fix setup script + add onboarding hub (5 new pages)

Bug fixes:
- CA cert now populated in ConfigMap (was empty → TLS failures)
- Remove useless heredoc quote escaping in setup script
- Fix homepage: VPN callout, correct verification command (get namespaces)
- Fix false-positive sensitive=true on ingress_path, tls_secret_name,
  truenas_host, ollama_host, client_certificate_secret_name

New pages (direct Svelte, no mdsvex dependency):
- /onboarding: step-by-step guide (VPN, kubectl, git, first PR)
- /architecture: cluster topology, storage, networking, tiers
- /services: catalog of 70+ services with URLs
- /contributing: PR workflow, what you can/can't change, NEVER list
- /troubleshooting: common issues and fixes

Navigation bar added to layout. All pages use consistent docs styling.

Requires Docker image rebuild: cd stacks/platform/modules/k8s-portal/files
&& docker build -t viktorbarzin/k8s-portal:latest . && docker push

stacks/platform/main.tf

@@ -24,7 +24,6 @@
 # --- Core ---
 variable "tls_secret_name" {
   type = string
-  sensitive = true
 }
 variable "nfs_server" { type = string }
 variable "redis_host" { type = string }
@@ -75,6 +74,10 @@ variable "homepage_credentials" {
 # --- headscale ---
 variable "headscale_config" { type = string }
 variable "headscale_acl" { type = string }
+variable "k8s_ca_cert" {
+  type    = string
+  default = ""
+}
 
 # --- authentik / rbac / k8s-portal ---
 variable "authentik_secret_key" {
@@ -317,6 +320,7 @@ module "k8s-portal" {
   source          = "./modules/k8s-portal"
   tier            = local.tiers.edge
   tls_secret_name = var.tls_secret_name
+  k8s_ca_cert     = var.k8s_ca_cert
 }
 
 # -----------------------------------------------------------------------------