misc: zot registry, k8s OIDC, server configs, sandbox experiments, and notes

- docker-30/zot: add Zot OCI registry with on-demand sync to docker.io,
  registry.k8s.io, ghcr.io, quay.io
- kubernetes-kvm-terraform: wire Kanidm OIDC via structured
  AuthenticationConfiguration; add reference apiserver manifest and
  join-node-02 helper
- servers: reorganize shadow/ under servers/, add saint vhost config and
  utility-101 VM definition, add shadow hrajfrisbee.cz vhost and
  storage-23 notes
- experiments: add notes and configs for e2b dev VM, kata + firecracker
  on kube, microsandbox, orb-stack k3s (terraform + cloud-init), rke2
- vms/docker: document tailscale + node-exporter setup
- blog: stub post on Gateway API
- chore: gitignore tmp/, smtp_password, and the two local-only
  credential caches; add per-project .claude/settings.json

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

vms/docker/install.md

@@ -1,3 +1,32 @@
 ## expected services
 
-- tailscaled
+- tailscaled
+- node-exporter
+
+```bash
+# tailscale installation
+# add repo and public keys
+curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/$(lsb_release -cs).noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
+curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/$(lsb_release -cs).tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
+
+# install
+sudo apt update
+sudo apt install tailscale -y
+
+# enable & start
+systemctl enable tailscaled
+systemctl start tailscaled
+
+# authenticate
+tailscale up
+```
+
+### deploy node-exporter
+
+```bash
+mkdir -p /srv/docker/node-exporter
+cp docker-compose.yaml /srv/docker/node-exporter/
+cp node-exporter.service /etc/systemd/system/
+systemctl daemon-reload
+systemctl enable --now node-exporter
+```