feat: Add HA Kubernetes cluster with Terraform + Ansible

- 3x CX23 control plane nodes (HA)
- 4x CX33 worker nodes
- k3s with embedded etcd
- Hetzner CCM for load balancers
- Gitea CI/CD workflows
- Backblaze B2 for Terraform state

terraform/firewall.tf

@@ -0,0 +1,86 @@
+resource "hcloud_firewall" "cluster" {
+  name = "${var.cluster_name}-firewall"
+
+  rule {
+    description = "SSH"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "22"
+    source_ips  = var.allowed_ssh_ips
+  }
+
+  rule {
+    description = "Kubernetes API"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "6443"
+    source_ips  = var.allowed_api_ips
+  }
+
+  rule {
+    description = "Kubernetes API (internal)"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "6443"
+    source_ips  = [var.subnet_cidr]
+  }
+
+  rule {
+    description = "k3s Supervisor"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "9345"
+    source_ips  = [var.subnet_cidr]
+  }
+
+  rule {
+    description = "etcd Client"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "2379"
+    source_ips  = [var.subnet_cidr]
+  }
+
+  rule {
+    description = "etcd Peer"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "2380"
+    source_ips  = [var.subnet_cidr]
+  }
+
+  rule {
+    description = "Flannel VXLAN"
+    direction   = "in"
+    protocol    = "udp"
+    port        = "8472"
+    source_ips  = [var.subnet_cidr]
+  }
+
+  rule {
+    description = "Kubelet"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "10250"
+    source_ips  = [var.subnet_cidr]
+  }
+
+  rule {
+    description = "NodePorts"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "30000-32767"
+    source_ips  = ["0.0.0.0/0"]
+  }
+
+  rule {
+    description = "ICMP"
+    direction   = "in"
+    protocol    = "icmp"
+    source_ips  = ["0.0.0.0/0"]
+  }
+
+  apply_to {
+    label_selector = "cluster=${var.cluster_name}"
+  }
+}