feat(phpipam): deploy phpIPAM for live IP address management

Lightweight IPAM with auto-discovery scanning every 15min via fping.
Replaces disabled NetBox (OOM'd). Uses existing MySQL InnoDB cluster
with Vault-rotated credentials. Cloudflare DNS + Authentik auth.

[ci skip]

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

stacks/vault/main.tf

@@ -466,7 +466,7 @@ resource "vault_database_secret_backend_connection" "mysql" {
   allowed_roles = [
     "mysql-speedtest", "mysql-wrongmove", "mysql-codimd",
     "mysql-nextcloud", "mysql-shlink", "mysql-grafana",
-    "mysql-technitium"
+    "mysql-technitium", "mysql-phpipam"
   ]
 
   mysql {
@@ -553,6 +553,14 @@ resource "vault_database_secret_backend_static_role" "mysql_technitium" {
   rotation_period = 604800
 }
 
+resource "vault_database_secret_backend_static_role" "mysql_phpipam" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.mysql.name
+  name            = "mysql-phpipam"
+  username        = "phpipam"
+  rotation_period = 604800
+}
+
 # --- PostgreSQL Static Roles ---
 
 /*