[User Story] Implement daily backup to R2

[noahwhite]

Story Summary

As a platform engineer, I want automated daily backups of Ghost stack data to Cloudflare R2, so that I can recover from data loss.

---

✅ Acceptance Criteria

• rclone sysext added to ghost.bu with hash verification
• Backup script deployed to /opt/bin/ghost-backup.sh
• rclone config deployed to /etc/rclone/rclone.conf (templated)
• ghost-backup.service and ghost-backup.timer systemd units
• Timer runs daily with RandomizedDelaySec
• Backup excludes .env.secrets and .env.generated
• Containers stopped during backup for consistency
• Backup logs to journal with ghost-backup tag
• instance_replacement_hash updated with new files

---

📝 Additional Context

• Design: File-level backup with container stop (~1-2 min downtime)
• R2 bucket: ghost-backups-dev-separationofconcerns-dev
• R2 credentials stored in Bitwarden, templated via OpenTofu
• Future: Credentials via Aembit proxy

---

📦 Definition of Ready

• Acceptance criteria defined
• R2 bucket and API token created in Cloudflare
• R2 credentials stored in Bitwarden
• Story is estimated (3 points)
• Team has necessary skills and access
• Priority is clear
• Business value understood

---

✅ Definition of Done

• All acceptance criteria met
• tofu plan shows expected changes
• Manual backup triggered successfully
• R2 bucket contains backup data
• No secrets in Ignition/OpenTofu state

[linear]

GHO-63