traefik/crowdsec: serve Cloudflare Turnstile for captcha remediation

CrowdSec LAPI already issues `captcha`-type decisions for lower-severity abuse
(http-429-abuse, http-403-abuse, http-crawl-non_statics, http-sensitive-files),
but the Traefik bouncer plugin had no captcha provider configured — so those
decisions silently fell through to a 403 ban (traced in the plugin's bouncer.go
@ v1.4.2: captchaClient.Valid==false => handleBanServeHTTP). Flagged users had
no way to self-unblock, contradicting the profile's stated intent.

Wire Cloudflare Turnstile as the bouncer's captcha provider so a captcha
decision now renders a solvable challenge instead of a hard block:

- New cloudflare_turnstile_widget.crowdsec_captcha (managed mode), scoped to
  viktorbarzin.me so one widget covers every subdomain the bouncer fronts.
  Mirrors the existing Forgejo-signup Turnstile pattern; sitekey + secret are
  passed into the traefik module.
- middleware.tf: captchaProvider=turnstile + site/secret keys + grace 1800s +
  captchaHTMLFilePath=/captcha/captcha.html.
- Vendor the plugin's captcha.html and mount it into the Traefik container at
  /captcha via the chart `volumes` value — the pulled Yaegi plugin does not
  expose its bundled template to Traefik.
- docs/architecture/security.md: document the ban-vs-captcha remediation split.
- Remove the dead crowdsec-ingress-bouncer.yaml (unused nginx bouncer with
  placeholder reCAPTCHA keys; referenced by zero .tf).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/crowdsec/modules/crowdsec/crowdsec-ingress-bouncer.yaml

@@ -1,44 +0,0 @@
-controller:
-  extraVolumes:
-    - name: crowdsec-bouncer-plugin
-      emptyDir: {}
-  extraInitContainers:
-    - name: init-clone-crowdsec-bouncer
-      image: crowdsecurity/lua-bouncer-plugin
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: API_URL
-          value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" # crowdsec lapi service-name
-        - name: API_KEY
-          value: "<API KEY>" # generated with `cscli bouncers add -n <bouncer_name>
-        - name: BOUNCER_CONFIG
-          value: "/crowdsec/crowdsec-bouncer.conf"
-        - name: CAPTCHA_PROVIDER
-          value: "recaptcha" # valid providers are recaptcha, hcaptcha, turnstile
-        - name: SECRET_KEY
-          value: "<your-captcha-secret-key>" # If you want captcha support otherwise remove this ENV VAR
-        - name: SITE_KEY
-          value: "<your-captcha-site-key>" # If you want captcha support otherwise remove this ENV VAR
-        - name: BAN_TEMPLATE_PATH
-          value: /etc/nginx/lua/plugins/crowdsec/templates/ban.html
-        - name: CAPTCHA_TEMPLATE_PATH
-          value: /etc/nginx/lua/plugins/crowdsec/templates/captcha.html
-      command:
-        [
-          "sh",
-          "-c",
-          "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/",
-        ]
-      volumeMounts:
-        - name: crowdsec-bouncer-plugin
-          mountPath: /lua_plugins
-  extraVolumeMounts:
-    - name: crowdsec-bouncer-plugin
-      mountPath: /etc/nginx/lua/plugins/crowdsec
-      subPath: crowdsec
-  config:
-    plugins: "crowdsec"
-    lua-shared-dicts: "crowdsec_cache: 50m"
-    server-snippet: |
-      lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt"; # If you want captcha support otherwise remove this line
-      resolver local=on ipv6=off;