refactor: remove HAProxy from Prospero, centralize TLS on Titania

Move TLS termination and reverse proxying entirely to Titania's
HAProxy, eliminating the redundant HAProxy instance on Prospero.
Backends now communicate over plain HTTP within the internal network.

- Remove HAProxy container, config, certs, and syslog from Prospero
- Remove ssl_backend flags from Titania backend definitions
- Replace pplg_haproxy_* vars with single pplg_domain variable
- Remove HAProxy syslog source from Alloy config
- Update OAuth2-Proxy to listen on all interfaces for Titania access

ansible/pplg/oauth2-proxy-prometheus.cfg.j2

@@ -10,7 +10,7 @@ client_id = "{{prometheus_oauth2_client_id}}"
 client_secret = "{{prometheus_oauth2_client_secret}}"
 
 # Redirect URL after authentication
-redirect_url = "https://prometheus.{{pplg_haproxy_domain}}/oauth2/callback"
+redirect_url = "https://prometheus.{{pplg_domain}}/oauth2/callback"
 
 # Upstream service (Prometheus)
 upstreams = [
@@ -24,7 +24,7 @@ cookie_secure = true
 cookie_httponly = true
 cookie_expire = "168h"
 cookie_refresh = "1h"
-cookie_domains = ".{{pplg_haproxy_domain}}"
+cookie_domains = ".{{pplg_domain}}"
 session_store_type = "cookie"
 
 # Authentication settings
@@ -49,9 +49,10 @@ http_address = "0.0.0.0:{{prometheus_proxy_port}}"
 reverse_proxy = true
 real_client_ip_header = "X-Forwarded-For"
 
-# Skip authentication for health check endpoints
+# Skip authentication for health check and machine-to-machine endpoints
 skip_auth_routes = [
-    "^/ping$"
+    "^/ping$",
+    "^/api/v1/write$"
 ]
 
 # OIDC specific settings