monitoring: use AppRole token for OpenBao metrics scraping

Instead of creating a long-lived Vault token in Terraform (which gets
invalidated when Terraform recreates it), monitoring01 now uses its
existing AppRole credentials to fetch a fresh token for Prometheus.

Changes:
- Add prometheus-metrics policy to monitoring01's AppRole
- Remove vault_token.prometheus_metrics resource from Terraform
- Remove openbao-token KV secret from Terraform
- Add systemd service to fetch AppRole token on boot
- Add systemd timer to refresh token every 30 minutes

This ensures Prometheus always has a valid token without depending on
Terraform state or manual intervention.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

terraform/vault/policies.tf

@@ -1,21 +1,10 @@
 # Generic policies for services (not host-specific)
 
 resource "vault_policy" "prometheus_metrics" {
-  name = "prometheus-metrics"
+  name   = "prometheus-metrics"
   policy = <<EOT
 path "sys/metrics" {
   capabilities = ["read"]
 }
 EOT
 }
-
-# Long-lived token for Prometheus to scrape OpenBao metrics
-resource "vault_token" "prometheus_metrics" {
-  policies  = [vault_policy.prometheus_metrics.name]
-  ttl       = "8760h" # 1 year
-  renewable = true
-
-  metadata = {
-    purpose = "prometheus-metrics-scraping"
-  }
-}