refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure:
- Remove docker-compose-direct-access.yml (VPN-bound services)
- Remove VPN-only middlewares from Grafana, Prometheus, Portainer
- Remove WireGuard middleware definitions from Traefik
- Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers

All monitoring services now publicly accessible via subdomains:
- grafana.michaelschiemer.de (with Grafana native auth)
- prometheus.michaelschiemer.de (with Basic Auth)
- portainer.michaelschiemer.de (with Portainer native auth)

All services use Let's Encrypt SSL certificates via Traefik.

deployment/ansible/templates/wireguard-nftables.nft.j2

@@ -0,0 +1,15 @@
+table inet wireguard_{{ wg_interface }} {
+    chain postrouting {
+        type nat hook postrouting priority srcnat;
+        oifname "{{ wan_interface }}" ip saddr {{ wg_net }} masquerade
+    }
+
+    chain forward {
+        type filter hook forward priority filter;
+        iifname "{{ wg_interface }}" ip saddr {{ wg_net }} counter accept
+        oifname "{{ wg_interface }}" ip daddr {{ wg_net }} ct state established,related counter accept
+{% for net in extra_nets %}
+        iifname "{{ wg_interface }}" ip daddr {{ net }} counter accept
+{% endfor %}
+    }
+}