monitoring: use AppRole token for OpenBao metrics scraping

Instead of creating a long-lived Vault token in Terraform (which gets
invalidated when Terraform recreates it), monitoring01 now uses its
existing AppRole credentials to fetch a fresh token for Prometheus.

Changes:
- Add prometheus-metrics policy to monitoring01's AppRole
- Remove vault_token.prometheus_metrics resource from Terraform
- Remove openbao-token KV secret from Terraform
- Add systemd service to fetch AppRole token on boot
- Add systemd timer to refresh token every 30 minutes

This ensures Prometheus always has a valid token without depending on
Terraform state or manual intervention.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

terraform/vault/approle.tf

@@ -15,6 +15,7 @@ locals {
     #     "secret/data/services/grafana/*",
     #     "secret/data/shared/smtp/*"
     #   ]
+    #   extra_policies = ["some-other-policy"]  # Optional: additional policies
     # }
 
     # Example: ha1 host
@@ -38,6 +39,7 @@ locals {
         "secret/data/shared/backup/*",
         "secret/data/shared/nats/*",
       ]
+      extra_policies = ["prometheus-metrics"]
     }
 
     # Wave 1: hosts with no service secrets (only need vault.enable for future use)
@@ -109,9 +111,12 @@ EOT
 resource "vault_approle_auth_backend_role" "hosts" {
   for_each = local.host_policies
 
-  backend        = vault_auth_backend.approle.path
-  role_name      = each.key
-  token_policies = ["${each.key}-policy"]
+  backend   = vault_auth_backend.approle.path
+  role_name = each.key
+  token_policies = concat(
+    ["${each.key}-policy"],
+    lookup(each.value, "extra_policies", [])
+  )
 
   # Token configuration
   token_ttl     = 3600  # 1 hour

terraform/vault/policies.tf

@@ -1,21 +1,10 @@
 # Generic policies for services (not host-specific)
 
 resource "vault_policy" "prometheus_metrics" {
-  name = "prometheus-metrics"
+  name   = "prometheus-metrics"
   policy = <<EOT
 path "sys/metrics" {
   capabilities = ["read"]
 }
 EOT
 }
-
-# Long-lived token for Prometheus to scrape OpenBao metrics
-resource "vault_token" "prometheus_metrics" {
-  policies  = [vault_policy.prometheus_metrics.name]
-  ttl       = "8760h" # 1 year
-  renewable = true
-
-  metadata = {
-    purpose = "prometheus-metrics-scraping"
-  }
-}

terraform/vault/secrets.tf

@@ -92,13 +92,6 @@ locals {
       auto_generate = false
       data          = { token = var.actions_token_1 }
     }
-
-    # Prometheus OpenBao token for scraping metrics
-    # Token is created by vault_token.prometheus_metrics in policies.tf
-    "hosts/monitoring01/openbao-token" = {
-      auto_generate = false
-      data          = { token = vault_token.prometheus_metrics.client_token }
-    }
   }
 }