[mailserver] Pin dovecot_exporter to SHA + add Diun [ci skip]

## Context

`viktorbarzin/dovecot_exporter:latest` was consumed with `IfNotPresent`
pull, which means whichever node landed the pod kept whatever digest
was cached from an earlier pull. A SHA-level pin is the reproducibility
baseline this repo uses for every other home-built image
(`headscale`, `excalidraw`, `linkwarden`).

## This change

- Pins `dovecot-exporter` container image to
  `viktorbarzin/dovecot_exporter@sha256:1114224c...` — the digest the
  pod is actually running today (captured from live `imageID`).
- Enables Diun tag watching on the mailserver Deployment
  (`diun.enable=true`, `diun.include_tags=^latest$`) so new `:latest`
  digests trigger a notification rather than silently landing on the
  next `IfNotPresent` miss.

Deviation from task spec (code-cno): the task asked for an 8-char SHA
*tag*, but Docker Hub only publishes `:latest` for this image — a SHA
tag doesn't exist. Used the digest-pin pattern already established at
`stacks/headscale/modules/headscale/main.tf:204` instead; Diun watches
the `:latest` tag for drift, which is the equivalent notification.

## What is NOT in this change

- Volume-mount ordering drift on `kubernetes_deployment.mailserver`
  (pre-existing; tolerated by Waves 1+2).
- Splitting the metrics port into its own Service (code-izl).

## Test Plan

### Automated
```
$ kubectl get pod -n mailserver -l app=mailserver \
    -o jsonpath='{.items[0].spec.containers[*].image}'
docker.io/mailserver/docker-mailserver:15.0.0 \
  viktorbarzin/dovecot_exporter@sha256:1114224c9bf0261ca8e9949a6b42d3c5a2c923d34ca4593f6b62f034daf14fc5

$ kubectl get deployment -n mailserver mailserver \
    -o jsonpath='{.spec.template.metadata.annotations}'
{"diun.enable":"true","diun.include_tags":"^latest$"}

$ kubectl rollout status deployment/mailserver -n mailserver
deployment "mailserver" successfully rolled out
```

### Manual Verification
1. Push a new `:latest` digest to the exporter image (or wait for one).
2. Check Diun notifier output: a tag event for `^latest$` should fire.
3. `kubectl describe deployment/mailserver -n mailserver` shows the
   digest pin unchanged until someone rebumps it.

## Reproduce locally
1. `kubectl -n mailserver get pod -l app=mailserver -o yaml | \
     grep -A1 dovecot_exporter`
2. Expected: `image: viktorbarzin/dovecot_exporter@sha256:1114224c...`.

Closes: code-cno

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

stacks/mailserver/modules/mailserver/main.tf

@@ -230,7 +230,8 @@ resource "kubernetes_deployment" "mailserver" {
     template {
       metadata {
         annotations = {
-          # "diun.enable" = "true"
+          "diun.enable"       = "true"
+          "diun.include_tags" = "^latest$"
         }
         labels = {
           "app"  = "mailserver"
@@ -433,7 +434,7 @@ resource "kubernetes_deployment" "mailserver" {
 
         container {
           name  = "dovecot-exporter"
-          image = "viktorbarzin/dovecot_exporter:latest"
+          image = "viktorbarzin/dovecot_exporter@sha256:1114224c9bf0261ca8e9949a6b42d3c5a2c923d34ca4593f6b62f034daf14fc5"
           command = [
             "/dovecot_exporter/exporter",
             "--dovecot.socket-path=/var/run/dovecot/stats-reader"