fix: restore technitium MySQL query logging with Vault auto-rotation [ci skip]

Query logs stopped syncing on 2026-03-16 due to password mismatch after
MySQL cluster rebuild and Technitium app config reset.

- Add Vault static role mysql-technitium (7-day rotation)
- Add ExternalSecret for technitium-db-creds in technitium namespace
- Add password-sync CronJob (6h) to push rotated password to Technitium API
- Update Grafana datasource to use ESO-managed password
- Remove stale technitium_db_password variable (replaced by ESO)
- Update databases.md and restore-mysql.md runbook

stacks/technitium/main.tf

@@ -12,13 +12,12 @@ locals {
 }
 
 module "technitium" {
-  source                 = "./modules/technitium"
-  tls_secret_name        = var.tls_secret_name
-  nfs_server             = var.nfs_server
-  mysql_host             = var.mysql_host
-  homepage_token         = local.homepage_credentials["technitium"]["token"]
-  technitium_db_password = data.vault_kv_secret_v2.secrets.data["technitium_db_password"]
-  technitium_username    = data.vault_kv_secret_v2.secrets.data["technitium_username"]
-  technitium_password    = data.vault_kv_secret_v2.secrets.data["technitium_password"]
-  tier                   = local.tiers.core
+  source              = "./modules/technitium"
+  tls_secret_name     = var.tls_secret_name
+  nfs_server          = var.nfs_server
+  mysql_host          = var.mysql_host
+  homepage_token      = local.homepage_credentials["technitium"]["token"]
+  technitium_username = data.vault_kv_secret_v2.secrets.data["technitium_username"]
+  technitium_password = data.vault_kv_secret_v2.secrets.data["technitium_password"]
+  tier                = local.tiers.core
 }