deploy(gx10): add NanoHUB Apple MDM workload

apps-gx10/fc-apple-mdm/README.md

@@ -0,0 +1,45 @@
+# FlowerCore Apple MDM on GX10
+
+This directory deploys the NanoHUB `v0.2.0` substrate for Apple MDM protocol
+traffic at `https://mdm.iamworkin.lan`.
+
+## Runtime
+
+- Namespace: `fc-apple-mdm`
+- Image: `localhost/fc-apple-mdm-nanohub:v0.2.0-20260617`
+- Upstream digest: `ghcr.io/micromdm/nanohub:latest@sha256:e36a50db2dc3d2bf736645e58712f622c04b05b28487390981905ef4d0be5fbd`
+- Persistent state: `fc-apple-mdm-data` on `local-path`, mounted at `/var/lib/nanohub`
+- File backend DSN: `/var/lib/nanohub/db`
+- Required secret: `Secret/fc-apple-mdm-runtime`, key `NANOHUB_API_KEY`
+- Optional later bridge secret: `NANOHUB_WEBHOOK_URL`
+- Required CA mount: `ConfigMap/fc-apple-mdm-root-ca`, key `root_ca.crt`
+
+NanoHUB API authentication is HTTP Basic with username `nanohub` and password
+from `NANOHUB_API_KEY`.
+
+## Public Surface
+
+The Traefik route intentionally exposes only:
+
+- `/version`
+- `/mdm`
+- `/checkin`
+
+NanoHUB APIs under `/api/v1/*` stay cluster-internal for MDM-N1. The
+DeviceManagement bridge can use the ClusterIP service directly once its NanoHUB
+client lane lands.
+
+## Deployment Notes
+
+1. Create or refresh the runtime Kubernetes Secret from the 1Password item
+   `FlowerCore Apple MDM Runtime` before sync. GX10 does not yet depend on the
+   1Password operator for this workload.
+2. Import `localhost/fc-apple-mdm-nanohub:v0.2.0-20260617` into GX10 containerd
+   before ArgoCD syncs. The deployment uses `imagePullPolicy: Never`.
+3. Ensure `mdm.iamworkin.lan` resolves to the GX10 Traefik VIP `10.0.57.202`
+   before cert-manager requests `Certificate/fc-apple-mdm-tls`.
+4. Prove `https://mdm.iamworkin.lan/version` after ArgoCD converges.
+
+This lane does not create an APNs MDM push certificate, enrollment profile,
+SCEP/device identity service, managed Wi-Fi payload, managed app install, or
+supervised iPad enrollment. Those remain MDM-N2 through MDM-N8.