feat: add ArgoCD bootstrap with ApplicationSet pattern

- Add root ApplicationSet using Git Directory Generator
- Configure AppProjects for infrastructure and apps separation
- Add cert-manager with Let's Encrypt ClusterIssuers (staging/prod)
- Add SOPS configuration for age-encrypted secrets
- Add bootstrap documentation (docs/BOOTSTRAP.md)
- Scaffold infrastructure dirs (networking, storage, monitoring)
- Update README with quick start and architecture

GitOps pattern: directories auto-discovered by ArgoCD ApplicationSets
Reference: CNCF App-of-Apps best practices 2025

clusters/defiant/argocd-namespace.yaml

@@ -0,0 +1,12 @@
+# clusters/defiant/argocd-namespace.yaml
+# ArgoCD namespace with required labels
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argocd
+  labels:
+    app.kubernetes.io/name: argocd
+    app.kubernetes.io/part-of: argocd
+    # Pod Security Standards - privileged for ArgoCD repo-server
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted

clusters/defiant/kustomization.yaml

@@ -0,0 +1,12 @@
+# clusters/defiant/kustomization.yaml
+# Root Kustomization for defiant k3s cluster
+# Applied by ArgoCD or manually via: kubectl apply -k clusters/defiant/
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: argocd
+
+resources:
+  - argocd-namespace.yaml
+  - root-applicationset.yaml
+  - projects.yaml

clusters/defiant/projects.yaml

@@ -0,0 +1,49 @@
+# clusters/defiant/projects.yaml
+# ArgoCD AppProjects for access control and grouping
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: infrastructure
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: Core cluster infrastructure (networking, storage, monitoring)
+  sourceRepos:
+    - 'https://github.com/ghndrx/homelab-gitops.git'
+    - 'https://charts.jetstack.io'
+    - 'https://prometheus-community.github.io/helm-charts'
+    - 'https://grafana.github.io/helm-charts'
+  destinations:
+    - namespace: '*'
+      server: https://kubernetes.default.svc
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  namespaceResourceWhitelist:
+    - group: '*'
+      kind: '*'
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: apps
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: User-facing applications
+  sourceRepos:
+    - 'https://github.com/ghndrx/homelab-gitops.git'
+  destinations:
+    - namespace: 'prod-*'
+      server: https://kubernetes.default.svc
+    - namespace: 'dev-*'
+      server: https://kubernetes.default.svc
+  clusterResourceWhitelist:
+    - group: ''
+      kind: Namespace
+  namespaceResourceWhitelist:
+    - group: '*'
+      kind: '*'

clusters/defiant/root-applicationset.yaml

@@ -0,0 +1,96 @@
+# clusters/defiant/root-applicationset.yaml
+# Root ApplicationSet using Git Directory Generator
+# Automatically creates ArgoCD Applications for each component in infrastructure/
+# Reference: https://argo-cd.readthedocs.io/en/latest/operator-manual/applicationset/Generators-Git/
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: infrastructure
+  namespace: argocd
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+    - git:
+        repoURL: https://github.com/ghndrx/homelab-gitops.git
+        revision: HEAD
+        directories:
+          - path: infrastructure/*
+  template:
+    metadata:
+      name: '{{ .path.basename }}'
+      namespace: argocd
+      labels:
+        app.kubernetes.io/part-of: homelab-infrastructure
+      finalizers:
+        - resources-finalizer.argocd.argoproj.io
+    spec:
+      project: infrastructure
+      source:
+        repoURL: https://github.com/ghndrx/homelab-gitops.git
+        targetRevision: HEAD
+        path: '{{ .path.path }}'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{ .path.basename }}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+          allowEmpty: false
+        syncOptions:
+          - CreateNamespace=true
+          - PrunePropagationPolicy=foreground
+          - PruneLast=true
+        retry:
+          limit: 5
+          backoff:
+            duration: 5s
+            factor: 2
+            maxDuration: 3m
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: apps
+  namespace: argocd
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+    - git:
+        repoURL: https://github.com/ghndrx/homelab-gitops.git
+        revision: HEAD
+        directories:
+          - path: apps/overlays/prod/*
+  template:
+    metadata:
+      name: 'prod-{{ .path.basename }}'
+      namespace: argocd
+      labels:
+        app.kubernetes.io/part-of: homelab-apps
+        environment: prod
+      finalizers:
+        - resources-finalizer.argocd.argoproj.io
+    spec:
+      project: apps
+      source:
+        repoURL: https://github.com/ghndrx/homelab-gitops.git
+        targetRevision: HEAD
+        path: '{{ .path.path }}'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: 'prod-{{ .path.basename }}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+        retry:
+          limit: 3
+          backoff:
+            duration: 5s
+            factor: 2
+            maxDuration: 1m