refactor: Replace CNPG external DB with rancher-backup operator

Rancher 2.x uses embedded etcd, not an external PostgreSQL database.
The CATTLE_DB_CATTLE_* env vars are Rancher v1 only and were ignored.

- Remove all CNPG (CloudNativePG) cluster, operator, and related configs
- Remove external DB env vars from Rancher HelmRelease
- Remove rancher-db-password ExternalSecret
- Add rancher-backup operator HelmRelease (v106.0.2+up8.1.0)
- Add B2 credentials ExternalSecret for backup storage
- Add recurring Backup CR (daily at 03:00, 7 day retention)
- Add commented-out Restore CR for rebuild recovery
- Update Flux dependency graph accordingly

infrastructure/addons/rancher-backup/b2-credentials-externalsecret.yaml

@@ -0,0 +1,25 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: rancher-b2-creds
+  namespace: cattle-resources-system
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: doppler-hetznerterra
+    kind: ClusterSecretStore
+  target:
+    name: rancher-b2-creds
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        aws_access_key_id: "{{ .B2_ACCOUNT_ID }}"
+        aws_secret_access_key: "{{ .B2_APPLICATION_KEY }}"
+  data:
+    - secretKey: B2_ACCOUNT_ID
+      remoteRef:
+        key: B2_ACCOUNT_ID
+    - secretKey: B2_APPLICATION_KEY
+      remoteRef:
+        key: B2_APPLICATION_KEY

infrastructure/addons/rancher-backup/backup-recurring.yaml

@@ -0,0 +1,17 @@
+apiVersion: resources.cattle.io/v1
+kind: Backup
+metadata:
+  name: rancher-b2-recurring
+  namespace: cattle-resources-system
+spec:
+  resourceSetName: rancher-resource-set-full
+  storageLocation:
+    s3:
+      credentialSecretName: rancher-b2-creds
+      credentialSecretNamespace: cattle-resources-system
+      bucketName: HetznerTerra
+      folder: rancher-backups
+      endpoint: s3.us-east-005.backblazeb2.com
+      region: us-east-005
+  schedule: "0 3 * * *"
+  retentionCount: 7

infrastructure/addons/rancher-backup/helmrelease-rancher-backup.yaml

@@ -0,0 +1,28 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: rancher-backup
+  namespace: flux-system
+spec:
+  interval: 10m
+  targetNamespace: cattle-resources-system
+  chart:
+    spec:
+      chart: rancher-backup
+      version: "106.0.2+up8.1.0"
+      sourceRef:
+        kind: HelmRepository
+        name: rancher-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    image:
+      repository: rancher/backup-restore-operator
+    s3:
+      enabled: true

infrastructure/addons/rancher-backup/helmrepository-rancher-backup.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: rancher-charts
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.rancher.io

infrastructure/addons/rancher-backup/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helmrepository-rancher-backup.yaml
+  - helmrelease-rancher-backup.yaml
+  - b2-credentials-externalsecret.yaml
+  - backup-recurring.yaml
+  - restore-from-b2.yaml

infrastructure/addons/rancher-backup/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cattle-resources-system

infrastructure/addons/rancher-backup/restore-from-b2.yaml

@@ -0,0 +1,19 @@
+# Uncomment and set backupFilename to restore from a specific backup on rebuild.
+# Find the latest backup filename in B2: rancher-backups/ folder.
+# After restore succeeds, Rancher will have all users/settings from the backup.
+#
+# apiVersion: resources.cattle.io/v1
+# kind: Restore
+# metadata:
+#   name: restore-from-b2
+#   namespace: cattle-resources-system
+# spec:
+#   backupFilename: <backup-filename-from-b2>
+#   storageLocation:
+#     s3:
+#       credentialSecretName: rancher-b2-creds
+#       credentialSecretNamespace: cattle-resources-system
+#       bucketName: HetznerTerra
+#       folder: rancher-backups
+#       endpoint: s3.us-east-005.backblazeb2.com
+#       region: us-east-005