Move per-minion telegraf cred provisioning into so-minion

Simpler, race-free replacement for the reactor + orch + fan-out chain.

- salt/manager/tools/sbin/so-minion: expand add_telegraf_to_minion to
  generate a random 72-char password, reuse any existing password from
  the aggregate pillar, write postgres.telegraf.{user,pass} into the
  minion's own pillar file, and update the aggregate pillar so
  postgres.telegraf_users can CREATE ROLE on the next manager apply.
  Every create<ROLE> function already calls this hook, so add / addVM /
  setup dispatches are all covered identically and synchronously.
- salt/postgres/auth.sls: strip the fanout_targets loop and the
  postgres_telegraf_minion_pillar_<safe> cmd.run block — it's now
  redundant. The state still manages the so_postgres admin user and
  writes the aggregate pillar for postgres.telegraf_users to consume.
- salt/reactor/telegraf_user_sync.sls: deleted.
- salt/orch/telegraf_postgres_sync.sls: deleted.
- salt/salt/master.sls: drop the reactor_config_telegraf block that
  registered the reactor on /etc/salt/master.d/reactor_telegraf.conf.
- salt/orch/deploy_newnode.sls: drop the manager_fanout_postgres_telegraf
  step and the require: it added to the newnode highstate. Back to its
  original 3/dev shape.

No more ephemeral postgres_fanout_minion pillar, no more async salt/key
reactor, no more so-minion setupMinionFiles race: the pillar write
happens inline inside setupMinionFiles itself.

salt/manager/tools/sbin/so-minion

@@ -542,6 +542,37 @@ function add_telegraf_to_minion() {
         log "ERROR" "Failed to add telegraf configuration to $PILLARFILE"
         return 1
     fi
+
+    # Provision the per-minion postgres Telegraf credential so telegraf.conf
+    # renders correctly on the minion's first highstate and postgres.telegraf_users
+    # picks up the matching aggregate entry on the next manager apply.
+    #
+    # Writes:
+    #   - postgres.telegraf.{user,pass} into the minion's own pillar file
+    #     (distributed to only this minion via pillar/top.sls).
+    #   - postgres.auth.users.telegraf_<safe>.{user,pass} into the aggregate
+    #     pillar so postgres.telegraf_users CREATE ROLE finds it.
+    #
+    # An existing password is reused if the aggregate already has one (re-add),
+    # so rerunning so-minion for the same minion keeps the cred stable.
+    local MINION_SAFE
+    MINION_SAFE=$(echo "$MINION_ID" | tr '.-' '__' | tr '[:upper:]' '[:lower:]')
+    local PG_USER="so_telegraf_${MINION_SAFE}"
+    local AGGREGATE=/opt/so/saltstack/local/pillar/postgres/auth.sls
+    local PG_PASS=""
+    if [[ -f "$AGGREGATE" ]]; then
+        PG_PASS=$(so-yaml.py get -r "$AGGREGATE" "postgres.auth.users.telegraf_${MINION_SAFE}.pass" 2>/dev/null || true)
+    fi
+    if [[ -z "$PG_PASS" ]]; then
+        PG_PASS=$(tr -dc 'A-Za-z0-9~!@#^&*()_=+[]|;:,.<>?-' < /dev/urandom | head -c 72)
+    fi
+
+    so-yaml.py replace "$PILLARFILE" postgres.telegraf.user "$PG_USER" >/dev/null
+    so-yaml.py replace "$PILLARFILE" postgres.telegraf.pass "$PG_PASS" >/dev/null
+    if [[ -f "$AGGREGATE" ]]; then
+        so-yaml.py replace "$AGGREGATE" "postgres.auth.users.telegraf_${MINION_SAFE}.user" "$PG_USER" >/dev/null
+        so-yaml.py replace "$AGGREGATE" "postgres.auth.users.telegraf_${MINION_SAFE}.pass" "$PG_PASS" >/dev/null
+    fi
 }
 
 function add_influxdb_to_minion() {