vault: complete Phase 2 NFS-hostile migration; remove nfs-proxmox SC

All 3 vault voters now on proxmox-lvm-encrypted (vault-0 16:18, vault-1
+ vault-2 today). The NFS fsync incompatibility identified in the
2026-04-22 raft-leader-deadlock post-mortem is no longer reachable —
raft consensus log + audit log live on LUKS2 block storage with real
fsync semantics.

Cluster-wide consumers of the inline kubernetes_storage_class.nfs_proxmox
dropped to zero after the rolling, so the resource is removed from
infra/stacks/vault/main.tf. Released NFS PVs (6) remain in the cluster
and will be reclaimed in Phase 3 cleanup.

Lesson learned (recorded in plan): pvc-protection finalizer races the
StatefulSet controller — pod recreates on the OLD PVCs unless the
finalizer is patched out before pod delete. Force-finalize technique
applied to vault-1 + vault-2 successfully.

Closes: code-gy7h

stacks/vault/main.tf

@@ -25,22 +25,6 @@ module "tls_secret" {
   tls_secret_name = var.tls_secret_name
 }
 
-# NFS StorageClass pointing to Proxmox host (replaces nfs-truenas for vault)
-resource "kubernetes_storage_class" "nfs_proxmox" {
-  metadata {
-    name = "nfs-proxmox"
-  }
-  storage_provisioner    = "nfs.csi.k8s.io"
-  reclaim_policy         = "Retain"
-  volume_binding_mode    = "Immediate"
-  allow_volume_expansion = true
-  parameters = {
-    server = "192.168.1.127"
-    share  = "/srv/nfs"
-  }
-  mount_options = ["soft", "actimeo=5", "retrans=3", "timeo=30"]
-}
-
 resource "helm_release" "vault" {
   name             = "vault"
   namespace        = kubernetes_namespace.vault.metadata[0].name