monitoring: use AppRole token for OpenBao metrics scraping

Instead of creating a long-lived Vault token in Terraform (which gets
invalidated when Terraform recreates it), monitoring01 now uses its
existing AppRole credentials to fetch a fresh token for Prometheus.

Changes:
- Add prometheus-metrics policy to monitoring01's AppRole
- Remove vault_token.prometheus_metrics resource from Terraform
- Remove openbao-token KV secret from Terraform
- Add systemd service to fetch AppRole token on boot
- Add systemd timer to refresh token every 30 minutes

This ensures Prometheus always has a valid token without depending on
Terraform state or manual intervention.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

terraform/vault/approle.tf

@@ -15,6 +15,7 @@ locals {
     #     "secret/data/services/grafana/*",
     #     "secret/data/shared/smtp/*"
     #   ]
+    #   extra_policies = ["some-other-policy"]  # Optional: additional policies
     # }
 
     # Example: ha1 host
@@ -38,6 +39,7 @@ locals {
         "secret/data/shared/backup/*",
         "secret/data/shared/nats/*",
       ]
+      extra_policies = ["prometheus-metrics"]
     }
 
     # Wave 1: hosts with no service secrets (only need vault.enable for future use)
@@ -109,9 +111,12 @@ EOT
 resource "vault_approle_auth_backend_role" "hosts" {
   for_each = local.host_policies
 
-  backend        = vault_auth_backend.approle.path
-  role_name      = each.key
-  token_policies = ["${each.key}-policy"]
+  backend   = vault_auth_backend.approle.path
+  role_name = each.key
+  token_policies = concat(
+    ["${each.key}-policy"],
+    lookup(each.value, "extra_policies", [])
+  )
 
   # Token configuration
   token_ttl     = 3600  # 1 hour