refactor: remove HAProxy from Prospero, centralize TLS on Titania

Move TLS termination and reverse proxying entirely to Titania's
HAProxy, eliminating the redundant HAProxy instance on Prospero.
Backends now communicate over plain HTTP within the internal network.

- Remove HAProxy container, config, certs, and syslog from Prospero
- Remove ssl_backend flags from Titania backend definitions
- Replace pplg_haproxy_* vars with single pplg_domain variable
- Remove HAProxy syslog source from Alloy config
- Update OAuth2-Proxy to listen on all interfaces for Titania access

ansible/alloy/prospero/config.alloy.j2

@@ -1,6 +1,6 @@
 // Prospero Alloy Configuration
 // Red Panda Approved 🐼
-// Services: PPLG stack (Grafana, Prometheus, Loki, Alertmanager, PgAdmin, HAProxy, OAuth2-Proxy)
+// Services: PPLG stack (Grafana, Prometheus, Loki, Alertmanager, PgAdmin, OAuth2-Proxy)
 
 logging {
   level = "{{alloy_log_level}}"
@@ -19,20 +19,6 @@ loki.source.file "system_logs" {
   forward_to = [loki.write.default.receiver]
 }
 
-// PPLG HAProxy syslog receiver (HAProxy syslog → Alloy → Loki)
-loki.source.syslog "pplg_haproxy" {
-  listener {
-    address  = "127.0.0.1:{{pplg_haproxy_syslog_port}}"
-    protocol = "tcp"
-    labels   = {
-      job         = "pplg-haproxy",
-      hostname    = "{{inventory_hostname}}",
-      environment = "{{deployment_environment}}",
-    }
-  }
-  forward_to = [loki.write.default.receiver]
-}
-
 // Journal relabeling - assign dedicated job labels per systemd unit
 loki.relabel "journal" {
   forward_to = []