feat(storage): migrate all sensitive services to proxmox-lvm-encrypted

Reconcile Terraform with cluster state after manual encrypted PVC migrations
and complete the remaining unfinished migrations. All services storing
sensitive data now use LUKS2-encrypted block storage via the Proxmox CSI
plugin.

## Context

Only Technitium DNS was using encrypted storage in Terraform. Many services
had been manually migrated to encrypted PVCs in the cluster, but Terraform
was never updated — creating dangerous state drift where a `tg apply` could
recreate unencrypted PVCs.

## This change

Phase 0 — Infrastructure:
- Add `proxmox-lvm-encrypted` StorageClass to Helm values (extraParameters)
- Add ExternalSecret for LUKS encryption passphrase to Terraform
- Fix CSI node plugin memory: `node.plugin.resources` (not `node.resources`)
  with 1280Mi limit for LUKS2 Argon2id key derivation

Phase 1 — TF state reconciliation (zero downtime):
- Health, Matrix, N8N, Forgejo, Vaultwarden, Mailserver: state rm + import
- Redis, DBAAS MySQL, DBAAS PostgreSQL: Helm/CNPG value updates

Phase 2 — Data migration (encrypted PVCs existed but unused):
- Headscale, Frigate, MeshCentral: rsync + switchover
- Nextcloud (20Gi): rsync + chart_values update

Phase 3 — New encrypted PVCs:
- Roundcube HTML, HackMD, Affine, DBAAS pgadmin: create + rsync + switchover

Phase 4 — Cleanup:
- Deleted 5 orphaned unencrypted PVCs

## Services migrated (18 PVCs across 14 namespaces)

```
vaultwarden     → vaultwarden-data-encrypted
dbaas           → datadir-mysql-cluster-0, pg-cluster-{1,2}, dbaas-pgadmin-encrypted
mailserver      → mailserver-data-encrypted, roundcubemail-{enigma,html}-encrypted
nextcloud       → nextcloud-data-encrypted
forgejo         → forgejo-data-encrypted
matrix          → matrix-data-encrypted
n8n             → n8n-data-encrypted
affine          → affine-data-encrypted
health          → health-uploads-encrypted
hackmd          → hackmd-data-encrypted
redis           → redis-data-redis-node-{0,1}
headscale       → headscale-data-encrypted
frigate         → frigate-config-encrypted
meshcentral     → meshcentral-{data,files}-encrypted
```

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

stacks/nextcloud/chart_values.yaml

@@ -115,7 +115,7 @@ externalDatabase:
 
 persistence:
   enabled: true
-  existingClaim: nextcloud-data-proxmox
+  existingClaim: nextcloud-data-encrypted
 
   accessMode: ReadWriteOnce
   size: 20Gi

stacks/nextcloud/main.tf

@@ -184,9 +184,10 @@ resource "kubernetes_config_map" "apache_tuning" {
 #   }
 # }
 
-resource "kubernetes_persistent_volume_claim" "nextcloud_data_iscsi" {
+resource "kubernetes_persistent_volume_claim" "nextcloud_data_encrypted" {
+  wait_until_bound = false
   metadata {
-    name      = "nextcloud-data-proxmox"
+    name      = "nextcloud-data-encrypted"
     namespace = kubernetes_namespace.nextcloud.metadata[0].name
     annotations = {
       "resize.topolvm.io/threshold"     = "80%"
@@ -196,7 +197,7 @@ resource "kubernetes_persistent_volume_claim" "nextcloud_data_iscsi" {
   }
   spec {
     access_modes       = ["ReadWriteOnce"]
-    storage_class_name = "proxmox-lvm"
+    storage_class_name = "proxmox-lvm-encrypted"
     resources {
       requests = {
         storage = "20Gi"
@@ -509,7 +510,7 @@ resource "kubernetes_cron_job_v1" "nextcloud-backup" {
             volume {
               name = "nextcloud-data"
               persistent_volume_claim {
-                claim_name = kubernetes_persistent_volume_claim.nextcloud_data_iscsi.metadata[0].name
+                claim_name = kubernetes_persistent_volume_claim.nextcloud_data_encrypted.metadata[0].name
               }
             }