refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure:
- Remove docker-compose-direct-access.yml (VPN-bound services)
- Remove VPN-only middlewares from Grafana, Prometheus, Portainer
- Remove WireGuard middleware definitions from Traefik
- Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers

All monitoring services now publicly accessible via subdomains:
- grafana.michaelschiemer.de (with Grafana native auth)
- prometheus.michaelschiemer.de (with Basic Auth)
- portainer.michaelschiemer.de (with Portainer native auth)

All services use Let's Encrypt SSL certificates via Traefik.

deployment/stacks/monitoring/docker-compose.yml

@@ -41,7 +41,7 @@ services:
       - "traefik.http.routers.prometheus.entrypoints=websecure"
       - "traefik.http.routers.prometheus.tls=true"
       - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.prometheus.middlewares=prometheus-auth"
+      - "traefik.http.routers.prometheus.middlewares=prometheus-auth@docker"
       - "traefik.http.middlewares.prometheus-auth.basicauth.users=${PROMETHEUS_AUTH}"
       - "traefik.http.services.prometheus.loadbalancer.server.port=9090"
     healthcheck:
@@ -75,9 +75,6 @@ services:
       - "traefik.http.routers.grafana.entrypoints=websecure"
       - "traefik.http.routers.grafana.tls=true"
       - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
-      # VPN IP whitelist: Use middleware defined in Traefik dynamic config
-      # Middleware is defined in deployment/stacks/traefik/dynamic/middlewares.yml
-      - "traefik.http.routers.grafana.middlewares=grafana-vpn-only@file"
       - "traefik.http.services.grafana.loadbalancer.server.port=3000"
     depends_on:
       prometheus: