monitoring02: enable alerting and migrate CNAMEs from http-proxy

- Switch vmalert from blackhole mode to sending alerts to local
  Alertmanager
- Import alerttonotify service so alerts route to NATS notifications
- Move alertmanager and grafana CNAMEs from http-proxy to monitoring02
- Add monitoring CNAME to monitoring02
- Add Caddy reverse proxy entries for alertmanager and grafana
- Remove prometheus, alertmanager, and grafana Caddy entries from
  http-proxy (now served directly by monitoring02)
- Add shared/nats/nkey to monitoring02 Vault AppRole policy

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

terraform/vault/approle.tf

@@ -115,12 +115,13 @@ locals {
       ]
     }
 
-    # monitoring02: Grafana + VictoriaMetrics
+    # monitoring02: Grafana + VictoriaMetrics + Alertmanager
     "monitoring02" = {
       paths = [
         "secret/data/hosts/monitoring02/*",
         "secret/data/hosts/monitoring01/apiary-token",
         "secret/data/services/grafana/*",
+        "secret/data/shared/nats/nkey",
       ]
     }