feat: Add CloudNativePG with B2 backups for persistent Rancher database

- Add Local Path Provisioner for storage
- Add CloudNativePG operator (v1.27.0) via Flux
- Create PostgreSQL cluster with B2 (Backblaze) auto-backup/restore
- Update Rancher to use external PostgreSQL via CATTLE_DB_CATTLE_* env vars
- Add weekly pg_dump CronJob to B2 (Sundays 2AM)
- Add pre-destroy backup hook to destroy workflow
- Add B2 credentials to Doppler (B2_ACCOUNT_ID, B2_APPLICATION_KEY)
- Generate RANCHER_DB_PASSWORD in Doppler

Backup location: HetznerTerra/rancher-backups/
Retention: 14 backups

infrastructure/addons/lpp/helmrelease-local-path-provisioner.yaml

@@ -0,0 +1,31 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: local-path-provisioner
+  namespace: flux-system
+spec:
+  interval: 10m
+  targetNamespace: kube-system
+  chart:
+    spec:
+      chart: local-path-provisioner
+      version: 1.12.1
+      sourceRef:
+        kind: HelmRepository
+        name: local-path
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    nodePathMap:
+      - node: /var/lib/rancher/k3s/storage
+        paths:
+          - /var/lib/rancher/k3s/storage
+    storageClass:
+      defaultClass: true
+      name: local-path

infrastructure/addons/lpp/helmrepository-local-path.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: local-path
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.rancher.io

infrastructure/addons/lpp/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrepository-local-path.yaml
+  - helmrelease-local-path-provisioner.yaml