Move per-minion telegraf cred provisioning into so-minion

Simpler, race-free replacement for the reactor + orch + fan-out chain.

- salt/manager/tools/sbin/so-minion: expand add_telegraf_to_minion to
  generate a random 72-char password, reuse any existing password from
  the aggregate pillar, write postgres.telegraf.{user,pass} into the
  minion's own pillar file, and update the aggregate pillar so
  postgres.telegraf_users can CREATE ROLE on the next manager apply.
  Every create<ROLE> function already calls this hook, so add / addVM /
  setup dispatches are all covered identically and synchronously.
- salt/postgres/auth.sls: strip the fanout_targets loop and the
  postgres_telegraf_minion_pillar_<safe> cmd.run block — it's now
  redundant. The state still manages the so_postgres admin user and
  writes the aggregate pillar for postgres.telegraf_users to consume.
- salt/reactor/telegraf_user_sync.sls: deleted.
- salt/orch/telegraf_postgres_sync.sls: deleted.
- salt/salt/master.sls: drop the reactor_config_telegraf block that
  registered the reactor on /etc/salt/master.d/reactor_telegraf.conf.
- salt/orch/deploy_newnode.sls: drop the manager_fanout_postgres_telegraf
  step and the require: it added to the newnode highstate. Back to its
  original 3/dev shape.

No more ephemeral postgres_fanout_minion pillar, no more async salt/key
reactor, no more so-minion setupMinionFiles race: the pillar write
happens inline inside setupMinionFiles itself.

salt/orch/deploy_newnode.sls

@@ -12,21 +12,6 @@
         attempts: 36
         interval: 5
 
-# so-minion's setupMinionFiles rebuilds the new minion's pillar file from
-# scratch, wiping any postgres.telegraf.* entries the reactor may have written
-# on salt-key accept. Re-fan the cred here so the highstate below sees it.
-# Idempotent via the unless: guard in postgres.auth.
-manager_fanout_postgres_telegraf_{{NEWNODE}}:
-  salt.state:
-    - tgt: {{ MANAGER }}
-    - sls:
-      - postgres.auth
-    - queue: True
-    - pillar:
-        postgres_fanout_minion: {{ NEWNODE }}
-    - require:
-      - salt: {{NEWNODE}}_update_mine
-
 # we need to prepare the manager for a new searchnode or heavynode
 {% if NEWNODE.split('_')|last in ['searchnode', 'heavynode'] %}
 manager_run_es_soc:
@@ -45,5 +30,3 @@ manager_run_es_soc:
     - tgt: {{ NEWNODE }}
     - highstate: True
     - queue: True
-    - require:
-      - salt: manager_fanout_postgres_telegraf_{{NEWNODE}}

salt/orch/telegraf_postgres_sync.sls

@@ -1,28 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-# Fired by salt/reactor/telegraf_user_sync.sls when salt-key accepts a new
-# minion. Only provisions the per-minion pillar entry and DB role on the
-# manager; the minion itself will pick up its telegraf config on its first
-# highstate during onboarding, so there's no need to push the telegraf state
-# from here.
-#
-# Target the manager via role grains — same pattern as orch/delete_hypervisor.sls.
-# The reactor doesn't know the manager's minion id, and grains.master on the
-# runner is a hostname, not a targetable id.
-{% set FANOUT_MINION = salt['pillar.get']('postgres_fanout_minion', '') %}
-
-manager_sync_telegraf_pg_users:
-  salt.state:
-    - tgt: 'G@role:so-manager or G@role:so-managerhype or G@role:so-managersearch or G@role:so-standalone or G@role:so-eval'
-    - tgt_type: compound
-    - sls:
-      - postgres.auth
-      - postgres.telegraf_users
-    - queue: True
-    {% if FANOUT_MINION %}
-    - pillar:
-        postgres_fanout_minion: {{ FANOUT_MINION }}
-    {% endif %}