fix: macOS dev VM, CA certs, DNS fallback, Portainer Edge integration

- dev-vm.sh: rewrite for macOS (bsdtar ISO extraction, Homebrew mkfs.ext4
  detection, direct kernel boot, TCG acceleration, port 8080 forwarding)
- inject-kubesolo.sh: add CA certificates bundle from builder so containerd
  can verify TLS when pulling from registries (Docker Hub, etc.)
- 50-network.sh: add DNS fallback (10.0.2.3 + 8.8.8.8) when DHCP client
  doesn't populate /etc/resolv.conf
- 90-kubesolo.sh: serve kubeconfig via HTTP on port 8080 for reliable
  retrieval from host, add 127.0.0.1 and 10.0.2.15 to API server SANs
- portainer.go: add headless Service to Edge Agent manifest (required for
  agent peer discovery DNS lookup)
- 10-parse-cmdline.sh + init.sh: add kubesolo.edge_id/edge_key boot params
- 20-persistent-mount.sh: auto-format unformatted data disks on first boot
- hack/fix-portainer-service.sh: helper to patch running cluster

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cloud-init/portainer.go

@@ -77,6 +77,21 @@ func buildEdgeAgentManifest(edgeID, edgeKey, portainerURL, image string) string
 	sb.WriteString("    name: portainer-sa-clusteradmin\n")
 	sb.WriteString("    namespace: portainer\n")
 	sb.WriteString("---\n")
+	sb.WriteString("apiVersion: v1\n")
+	sb.WriteString("kind: Service\n")
+	sb.WriteString("metadata:\n")
+	sb.WriteString("  name: portainer-agent\n")
+	sb.WriteString("  namespace: portainer\n")
+	sb.WriteString("spec:\n")
+	sb.WriteString("  clusterIP: None\n")
+	sb.WriteString("  selector:\n")
+	sb.WriteString("    app: portainer-agent\n")
+	sb.WriteString("  ports:\n")
+	sb.WriteString("    - name: agent\n")
+	sb.WriteString("      port: 9001\n")
+	sb.WriteString("      targetPort: 9001\n")
+	sb.WriteString("      protocol: TCP\n")
+	sb.WriteString("---\n")
 	sb.WriteString("apiVersion: apps/v1\n")
 	sb.WriteString("kind: Deployment\n")
 	sb.WriteString("metadata:\n")