fix DB password desync + migrate remaining tfvars to Vault

DB desync fix: Stacks with Vault DB engine rotation (24h) now read
the password from vault-database ClusterSecretStore instead of vault-kv.
9 stacks updated with db ExternalSecrets reading from static-creds/*.

Stacks fixed: speedtest, hackmd, health, trading-bot, claude-memory,
woodpecker, linkwarden, nextcloud, url.

terraform.tfvars migration:
- plotting-book: google_client_id/secret → Vault KV + secret_key_ref
- tandoor: email_password var removed (was default="", now optional ESO)
- infra: ssh_private_key, vm_wizard_password, dockerhub_registry_password
  → Vault KV at secret/infra + data source

stacks/hackmd/main.tf

@@ -193,7 +193,7 @@ resource "kubernetes_manifest" "external_secret" {
     spec = {
       refreshInterval = "15m"
       secretStoreRef = {
-        name = "vault-kv"
+        name = "vault-database"
         kind = "ClusterSecretStore"
       }
       target = {
@@ -206,7 +206,10 @@ resource "kubernetes_manifest" "external_secret" {
       }
       data = [{
         secretKey = "db_password"
-        remoteRef = { key = "hackmd", property = "db_password" }
+        remoteRef = {
+          key      = "static-creds/mysql-codimd"
+          property = "password"
+        }
       }]
     }
   }