chore(terraform): comment out unused Grafana/Prometheus DNS, keep App active

- Comment out grafana_services_a, grafana_services_aaaa DNS records
- Comment out prometheus_services_a, prometheus_services_aaaa DNS records
- Keep app_services_a, app_services_aaaa active (user will use app)
- Update README DNS section to show app as active, grafana/prometheus commented out
- Update Role layout to reflect app is active

README.md

@@ -66,12 +66,20 @@ ssh-add --apple-use-keychain ~/.ssh/id_ed25519
 
 Create A/CNAME records that point to the correct server IP.
 
-Recommended:
+**Active records:**
 
 - `jfraeys.com` -> A record to web server IPv4
-- `services.jfraeys.com` -> A record to services server IPv4
-- `grafana.jfraeys.com` -> A/CNAME to services
-- `git.jfraeys.com` -> A/CNAME to services
+- `services.jfraeys.com` -> A record to services server IPv4  
+- `git.jfraeys.com` -> A/CNAME to services (Forgejo)
+- `auth.jfraeys.com` -> A/CNAME to services (Authelia)
+- `app.jfraeys.com` -> A/CNAME to services (App)
+
+**Commented out (unused):**
+
+- `grafana.jfraeys.com` -> A/CNAME to services (Grafana - currently disabled)
+- `prometheus.jfraeys.com` -> A/CNAME to services (Prometheus - currently disabled)
+
+To enable, uncomment the records in `terraform/main.tf`.
 
 ## TLS
 
@@ -273,6 +281,7 @@ ansible-playbook playbooks/web.yml --ask-vault-pass
 
 ## Notes
 
+- **Grafana/Prometheus/Loki**: Deployed but DNS records commented out in Terraform. Enable by uncommenting in `terraform/main.tf`.
 - Loki is exposed on `services:3100` but allowlisted in UFW to `web` only.
 - Watchtower is enabled with label-based updates.
 - Airflow/Spark are intentionally optional and can be enabled later via `deploy_airflow` / `deploy_spark`.
@@ -286,9 +295,10 @@ Services host (`services`):
 - `roles/traefik` (with file provider fallback for Docker API compatibility)
 - `roles/postfix` (Postmark SMTP relay for transactional email)
 - `roles/exporters` (node-exporter + cAdvisor)
-- `roles/prometheus`
-- `roles/loki`
-- `roles/grafana`
+- `roles/app` (active - DNS enabled)
+- `roles/prometheus` (deployed but DNS commented out)
+- `roles/loki` (deployed but DNS commented out)
+- `roles/grafana` (deployed but DNS commented out)
 - `roles/forgejo`
 - `roles/alertmanager` (uses localhost:25 Postfix relay)
 - `roles/watchtower`

terraform/main.tf

@@ -224,46 +224,49 @@ resource "cloudflare_record" "git_services_aaaa" {
   proxied = false
 }
 
-resource "cloudflare_record" "grafana_services_a" {
-  count   = var.enable_cloudflare_dns ? 1 : 0
-  zone_id = var.cloudflare_zone_id
-  name    = "grafana"
-  type    = "A"
-  content = sort(tolist(linode_instance.services.ipv4))[0]
-  ttl     = 1
-  proxied = true
-}
+# Grafana DNS records - currently unused
+# resource "cloudflare_record" "grafana_services_a" {
+#   count   = var.enable_cloudflare_dns ? 1 : 0
+#   zone_id = var.cloudflare_zone_id
+#   name    = "grafana"
+#   type    = "A"
+#   content = sort(tolist(linode_instance.services.ipv4))[0]
+#   ttl     = 1
+#   proxied = true
+# }
 
-resource "cloudflare_record" "grafana_services_aaaa" {
-  count   = var.enable_cloudflare_dns ? 1 : 0
-  zone_id = var.cloudflare_zone_id
-  name    = "grafana"
-  type    = "AAAA"
-  content = split("/", linode_instance.services.ipv6)[0]
-  ttl     = 1
-  proxied = true
-}
+# resource "cloudflare_record" "grafana_services_aaaa" {
+#   count   = var.enable_cloudflare_dns ? 1 : 0
+#   zone_id = var.cloudflare_zone_id
+#   name    = "grafana"
+#   type    = "AAAA"
+#   content = split("/", linode_instance.services.ipv6)[0]
+#   ttl     = 1
+#   proxied = true
+# }
 
-resource "cloudflare_record" "prometheus_services_a" {
-  count   = var.enable_cloudflare_dns ? 1 : 0
-  zone_id = var.cloudflare_zone_id
-  name    = "prometheus"
-  type    = "A"
-  content = sort(tolist(linode_instance.services.ipv4))[0]
-  ttl     = 1
-  proxied = true
-}
+# Prometheus DNS records - currently unused
+# resource "cloudflare_record" "prometheus_services_a" {
+#   count   = var.enable_cloudflare_dns ? 1 : 0
+#   zone_id = var.cloudflare_zone_id
+#   name    = "prometheus"
+#   type    = "A"
+#   content = sort(tolist(linode_instance.services.ipv4))[0]
+#   ttl     = 1
+#   proxied = true
+# }
 
-resource "cloudflare_record" "prometheus_services_aaaa" {
-  count   = var.enable_cloudflare_dns ? 1 : 0
-  zone_id = var.cloudflare_zone_id
-  name    = "prometheus"
-  type    = "AAAA"
-  content = split("/", linode_instance.services.ipv6)[0]
-  ttl     = 1
-  proxied = true
-}
+# resource "cloudflare_record" "prometheus_services_aaaa" {
+#   count   = var.enable_cloudflare_dns ? 1 : 0
+#   zone_id = var.cloudflare_zone_id
+#   name    = "prometheus"
+#   type    = "AAAA"
+#   content = split("/", linode_instance.services.ipv6)[0]
+#   ttl     = 1
+#   proxied = true
+# }
 
+# App DNS records
 resource "cloudflare_record" "app_services_a" {
   count   = var.enable_cloudflare_dns ? 1 : 0
   zone_id = var.cloudflare_zone_id