secrets: migrate all hosts from sops to OpenBao vault

Replace sops-nix secrets with OpenBao vault secrets across all hosts.
Hardcode root password hash, add extractKey option to vault-secrets
module, update Terraform with secrets/policies for all hosts, and
create AppRole provisioning playbook.

Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01
Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

terraform/vault/variables.tf

@@ -16,11 +16,44 @@ variable "vault_skip_tls_verify" {
   default     = true
 }
 
-# Example variables for manual secrets
-# Uncomment and add to terraform.tfvars as needed
+variable "backup_helper_secret" {
+  description = "Backup helper password (shared across hosts)"
+  type        = string
+  sensitive   = true
+}
 
-# variable "smtp_password" {
-#   description = "SMTP password for notifications"
-#   type        = string
-#   sensitive   = true
-# }
+variable "nats_nkey" {
+  description = "NATS NKey for alerttonotify"
+  type        = string
+  sensitive   = true
+}
+
+variable "pve_exporter_config" {
+  description = "PVE exporter YAML configuration"
+  type        = string
+  sensitive   = true
+}
+
+variable "ns_xfer_key" {
+  description = "DNS zone transfer TSIG key"
+  type        = string
+  sensitive   = true
+}
+
+variable "wireguard_private_key" {
+  description = "WireGuard private key for http-proxy"
+  type        = string
+  sensitive   = true
+}
+
+variable "cache_signing_key" {
+  description = "Nix binary cache signing key"
+  type        = string
+  sensitive   = true
+}
+
+variable "actions_token_1" {
+  description = "Gitea Actions runner token"
+  type        = string
+  sensitive   = true
+}