fix: restore technitium MySQL query logging with Vault auto-rotation [ci skip]

Query logs stopped syncing on 2026-03-16 due to password mismatch after
MySQL cluster rebuild and Technitium app config reset.

- Add Vault static role mysql-technitium (7-day rotation)
- Add ExternalSecret for technitium-db-creds in technitium namespace
- Add password-sync CronJob (6h) to push rotated password to Technitium API
- Update Grafana datasource to use ESO-managed password
- Remove stale technitium_db_password variable (replaced by ESO)
- Update databases.md and restore-mysql.md runbook

stacks/vault/main.tf

@@ -465,7 +465,8 @@ resource "vault_database_secret_backend_connection" "mysql" {
   name          = "mysql"
   allowed_roles = [
     "mysql-speedtest", "mysql-wrongmove", "mysql-codimd",
-    "mysql-nextcloud", "mysql-shlink", "mysql-grafana"
+    "mysql-nextcloud", "mysql-shlink", "mysql-grafana",
+    "mysql-technitium"
   ]
 
   mysql {
@@ -544,6 +545,14 @@ resource "vault_database_secret_backend_static_role" "mysql_grafana" {
   rotation_period = 604800
 }
 
+resource "vault_database_secret_backend_static_role" "mysql_technitium" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.mysql.name
+  name            = "mysql-technitium"
+  username        = "technitium"
+  rotation_period = 604800
+}
+
 # --- PostgreSQL Static Roles ---
 
 /*