monitoring: fix nix-cache_caddy scrape target TLS error

Move nix-cache_caddy back to a manual config in prometheus.nix using the
service CNAME (nix-cache.home.2rjus.net) instead of the hostname. The
auto-generated target used nix-cache01.home.2rjus.net which doesn't
match the TLS certificate SAN.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/plans/host-cleanup.md

@@ -0,0 +1,23 @@
+# Host Cleanup
+
+## Overview
+
+Remove decommissioned/unused host configurations that are no longer reachable on the network.
+
+## Hosts to review
+
+The following hosts return "no route to host" from Prometheus scraping and are likely no longer needed:
+
+- `media1` (10.69.12.82)
+- `ns3` (10.69.13.7)
+- `ns4` (10.69.13.8)
+- `nixos-test1` (10.69.13.10)
+
+## Steps
+
+1. Confirm each host is truly decommissioned (not just temporarily powered off)
+2. Remove host directory from `hosts/`
+3. Remove `nixosConfigurations` entry from `flake.nix`
+4. Remove host's age key from `.sops.yaml`
+5. Remove per-host secrets from `secrets/<hostname>/` if any
+6. Verify DNS zone and Prometheus targets no longer include the removed hosts after rebuild

services/monitoring/prometheus.nix

@@ -111,6 +111,18 @@ in
           }
         ];
       }
+      # TODO: nix-cache_caddy can't be auto-generated because the cert is issued
+      # for nix-cache.home.2rjus.net (service CNAME), not nix-cache01 (hostname).
+      # Consider adding a target override to homelab.monitoring.scrapeTargets.
+      {
+        job_name = "nix-cache_caddy";
+        scheme = "https";
+        static_configs = [
+          {
+            targets = [ "nix-cache.home.2rjus.net" ];
+          }
+        ];
+      }
       # pve-exporter with complex relabel config
       {
         job_name = "pve-exporter";

services/nix-cache/default.nix

@@ -7,9 +7,4 @@
     ./nix.nix
   ];
 
-  homelab.monitoring.scrapeTargets = [{
-    job_name = "nix-cache_caddy";
-    port = 443;
-    scheme = "https";
-  }];
 }