backup: add k3s SQLite backup to daily CronJob

- Add hostPath volume for /var/lib/rancher/k3s/server/db (readOnly)
- Script copies state.db + WAL files → k3s-db_<date>.tar.gz in /data/backups/backups/
- Rotation: keeps last 7 copies (same policy as other services)
- rclone-mega-backup picks it up automatically (syncs full /data/backups/backups/)
- Also tracks the CronJob manifest in git (was previously untracked)

Note: k3s uses SQLite/kine (not embedded etcd). etcd-snapshot is disabled.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backup-system/cronjob-backup.yaml

@@ -0,0 +1,79 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup
+  namespace: backup-system
+spec:
+  schedule: "0 2 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: backup-sa
+          securityContext:
+            runAsUser: 0
+          nodeSelector:
+            kubernetes.io/hostname: chemavx-k8
+          containers:
+          - name: backup
+            image: bitnami/kubectl:latest
+            command: ["/bin/bash", "/scripts/backup.sh"]
+            env:
+            - name: KUBECONFIG
+              value: /kubeconfig/k3s.yaml
+            resources:
+              requests:
+                cpu: 100m
+                memory: 128Mi
+              limits:
+                cpu: 500m
+                memory: 512Mi
+            volumeMounts:
+            - name: backup-dir
+              mountPath: /data/backups/backups
+            - name: n8n-data
+              mountPath: /data/n8n
+            - name: openclaw-data
+              mountPath: /data/openclaw
+            - name: scripts
+              mountPath: /scripts
+            - name: k3s-storage
+              mountPath: /var/lib/rancher/k3s/storage
+            - name: kubeconfig
+              mountPath: /kubeconfig/k3s.yaml
+            - name: k3s-db
+              mountPath: /data/k3s-db
+              readOnly: true
+          volumes:
+          - name: backup-dir
+            hostPath:
+              path: /data/backups/backups
+              type: DirectoryOrCreate
+          - name: n8n-data
+            hostPath:
+              path: /data/n8n
+              type: DirectoryOrCreate
+          - name: openclaw-data
+            hostPath:
+              path: /data/openclaw
+              type: DirectoryOrCreate
+          - name: scripts
+            hostPath:
+              path: /data/backups/scripts
+              type: Directory
+          - name: k3s-storage
+            hostPath:
+              path: /var/lib/rancher/k3s/storage
+              type: Directory
+          - name: kubeconfig
+            hostPath:
+              path: /etc/rancher/k3s/k3s.yaml
+              type: File
+          - name: k3s-db
+            hostPath:
+              path: /var/lib/rancher/k3s/server/db
+              type: Directory