refactor(deployment): Remove WireGuard VPN dependency and restore public service access

Remove WireGuard integration from production deployment to simplify infrastructure:
- Remove docker-compose-direct-access.yml (VPN-bound services)
- Remove VPN-only middlewares from Grafana, Prometheus, Portainer
- Remove WireGuard middleware definitions from Traefik
- Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers

All monitoring services now publicly accessible via subdomains:
- grafana.michaelschiemer.de (with Grafana native auth)
- prometheus.michaelschiemer.de (with Basic Auth)
- portainer.michaelschiemer.de (with Portainer native auth)

All services use Let's Encrypt SSL certificates via Traefik.

deployment/wireguard-old/wireguard-server.conf.j2

@@ -0,0 +1,22 @@
+# WireGuard Server Configuration
+# Generated by Ansible - DO NOT EDIT MANUALLY
+
+[Interface]
+# Server private key
+PrivateKey = {{ server_private_key_for_config }}
+
+# Server IP address in VPN network
+Address = {{ wireguard_server_ip }}/24
+
+# Port to listen on
+ListenPort = {{ wireguard_port }}
+
+# Enable NAT for VPN clients to access internet
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ wireguard_interface_name }} -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ wireguard_interface_name }} -j MASQUERADE
+
+# Clients will be added here by the add-wireguard-client playbook
+# Example:
+# [Peer]
+# PublicKey = <client_public_key>
+# AllowedIPs = 10.8.0.2/32