Wire ringtail blumeops-pg into backups + Grafana (#364)

Prereq for the wave-1 decommission. The cutover moved paperless+teslamate (postgres) and mealie (SQLite) to ringtail, but borgmatic and the Grafana TeslaMate datasource still pointed at the minikube copies — the migrated live data was unbacked since cutover, and dropping the minikube DBs would break the TeslaMate dashboards.

- Tailscale Service `blumeops-pg-ringtail` + Caddy L4 route `pg.ops.eblu.me:5434`
- borgmatic: teslamate + paperless postgres → :5434; mealie SQLite → ssh:eblume@ringtail
- Grafana TeslaMate datasource → pg.ops.eblu.me:5434

Deploy: sync databases-ringtail (tailscale svc) + grafana from branch; provision-indri --tags caddy,borgmatic; verify a backup run + dashboards. Unblocks the decommission PR.
Reviewed-on: #364

containers/mealie/default.nix

@@ -48,6 +48,10 @@ pkgs.dockerTools.buildLayeredImage {
     pkgs.coreutils
     pkgs.cacert
     pkgs.tzdata
+    # python3 (stdlib sqlite3) for the borgmatic k8s-sqlite-dump helper,
+    # which runs `python3 -c "...sqlite3...backup..."` inside the pod.
+    # Same nixpkgs python mealie is built against, so ~no added closure.
+    pkgs.python3
   ];
 
   config = {