ns2: migrate to OpenTofu management

- Remove hosts/template/ (legacy template1) and give each legacy host
  its own hardware-configuration.nix copy
- Recreate ns2 using create-host with template2 base
- Add secondary DNS services (NSD + Unbound resolver)
- Configure Vault policy for shared DNS secrets
- Fix create-host IP uniqueness validator to check CIDR notation
  (prevents false positives from DNS resolver entries)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

terraform/vault/approle.tf

@@ -80,13 +80,6 @@ locals {
       ]
     }
 
-    "ns2" = {
-      paths = [
-        "secret/data/hosts/ns2/*",
-        "secret/data/shared/dns/*",
-      ]
-    }
-
     # Wave 4: http-proxy
     "http-proxy" = {
       paths = [

terraform/vault/hosts-generated.tf

@@ -20,6 +20,12 @@ locals {
         "secret/data/hosts/testvm03/*",
       ]
     }
+    "ns2" = {
+      paths = [
+        "secret/data/hosts/ns2/*",
+        "secret/data/shared/dns/*",
+      ]
+    }
   
   }
 

terraform/vms.tf

@@ -58,6 +58,13 @@ locals {
       memory    = 2048
       disk_size = "20G"
     }
+    "ns2" = {
+      ip        = "10.69.13.6/24"
+      cpu_cores = 2
+      memory    = 2048
+      disk_size = "20G"
+      vault_wrapped_token = "s.3nran1e1Uim4B1OomIWCoS4T"
+    }
   }
 
   # Compute VM configurations with defaults applied