tripit: deploy stack + DB provisioning + ongoing mail-ingest [ci skip]

- stacks/tripit: namespace, ESO (vault-kv + vault-database), Deployment
  (alembic init + app), Service, NFS document PVC, ingress (Authentik
  forward-auth) + /api/calendar carve-out (auth=none, HMAC-token gated),
  and 3 worker CronJobs. ingest-mail is live: real IMAP (me@, read-only
  BODY.PEEK, recent-30) + local LLM (qwen3vl-4b on llama-swap), idempotent
  (skips seen message_ids), owner me@viktorbarzin.me.
- stacks/dbaas: create CNPG role+db `tripit`.
- stacks/vault: pg-tripit static role (7d rotation) + allowed_roles entry.

Deployed at tripit.viktorbarzin.me. [ci skip]: stacks were applied
out-of-band via scripts/tg this session; a CI re-apply would also apply
unrelated pre-existing dbaas/vault drift (MySQL StatefulSet, vault OIDC).

Refs: code-bb9g, code-muqi

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/vault/main.tf

@@ -616,7 +616,7 @@ resource "vault_database_secret_backend_connection" "postgresql" {
     "pg-terraform-state", "pg-payslip-ingest", "pg-job-hunter",
     "pg-wealthfolio-sync", "pg-fire-planner",
     "pg-postiz", "pg-instagram-poster",
-    "pg-recruiter-responder",
+    "pg-recruiter-responder", "pg-tripit",
     "pg-matrix", "pg-technitium",
   ]
 
@@ -811,6 +811,14 @@ resource "vault_database_secret_backend_static_role" "pg_recruiter_responder" {
   rotation_period = 604800
 }
 
+resource "vault_database_secret_backend_static_role" "pg_tripit" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-tripit"
+  username        = "tripit"
+  rotation_period = 604800
+}
+
 resource "vault_database_secret_backend_static_role" "pg_matrix" {
   backend         = vault_mount.database.path
   db_name         = vault_database_secret_backend_connection.postgresql.name