docker-30: gitea CI/CD integration with Vault and Kanidm, misc updates

vault:
- Add JWT auth backend bound to Gitea (jwks_url from gitea OIDC keys)
- Add gitea-ci-read policy scoped to secret/data/gitea/*
- Add JWT role gitea-ci (sub claim, bound to Gitea audience, 10m TTL)
- Add AppRole gitea-ci as alternative auth method for the same policy
- Add gitea-access-into-vault.md documenting the setup end-to-end
- Update terraform.tfstate (OpenTofu 1.11.5, new gitea-ci resources)

kanidm:
- Add run.sh with docker run command (pinned to v1.9.1)
- Add gitea-action-kubernetes-access.md documenting how to set up
  a Kanidm service account and OAuth2 client for Gitea CI k8s access
- readme: add upgrade procedure, recover-account command, and
  service account + API token setup for gitea-ci-token

maru-hleda-byt:
- Add --restart=always to docker run command

fuj-management:
- Add run.sh (new service config)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-30/fuj-management/run.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+docker rm -f fuj-management
+
+# gitea registry login with kacerr / token
+docker run -d --name fuj-management \
+  --restart=always \
+  -p 8081:5001 \
+  -v /srv/fuj-management/data:/app/data \
+  gitea.home.hrajfrisbee.cz/kacerr/fuj-management:latest