refactor: [#246] Remove Grafana firewall configuration

Remove Grafana firewall configuration due to Docker bypassing UFW.
Discovery: Docker published ports bypass UFW firewall rules entirely.

Changes:
- Remove templates/ansible/configure-grafana-firewall.yml playbook
- Remove src/application/steps/system/configure_grafana_firewall.rs
- Remove ConfigureGrafanaFirewall from ConfigureStep enum
- Remove references from project_generator.rs, handler.rs, mod.rs
- Update issue spec to reflect removal and document security discovery

Rationale: UFW configuration provides false sense of security - Docker
modifies iptables directly. Proper solution requires reverse proxy with
TLS (roadmap task 6). See docs/issues/DRAFT-docker-ufw-firewall-security-strategy.md

Author: josecelano

docs/issues/246-grafana-slice-release-run-commands.md

@@ -8,8 +8,8 @@ use super::errors::ConfigureCommandHandlerError;
 use crate::adapters::ansible::AnsibleClient;
 use crate::application::command_handlers::common::StepResult;
 use crate::application::steps::{
-    ConfigureFirewallStep, ConfigureGrafanaFirewallStep, ConfigureSecurityUpdatesStep,
-    ConfigureTrackerFirewallStep, InstallDockerComposeStep, InstallDockerStep,
+    ConfigureFirewallStep, ConfigureSecurityUpdatesStep, ConfigureTrackerFirewallStep,
+    InstallDockerComposeStep, InstallDockerStep,
 };
 use crate::domain::environment::repository::{EnvironmentRepository, TypedEnvironmentRepository};
 use crate::domain::environment::state::{ConfigureFailureContext, ConfigureStep};
@@ -218,34 +218,6 @@ impl ConfigureCommandHandler {
                 .map_err(|e| (e.into(), current_step))?;
         }
 
-        let current_step = ConfigureStep::ConfigureGrafanaFirewall;
-        // Configure Grafana-specific firewall rules (conditional on Grafana configuration)
-        // Only execute if Grafana is configured in the environment
-        if skip_firewall {
-            info!(
-                command = "configure",
-                step = "configure_grafana_firewall",
-                status = "skipped",
-                "Skipping Grafana firewall configuration due to TORRUST_TD_SKIP_FIREWALL_IN_CONTAINER"
-            );
-        } else if environment.context().user_inputs.grafana.is_some() {
-            info!(
-                command = "configure",
-                step = "configure_grafana_firewall",
-                "Configuring Grafana firewall (Grafana enabled)"
-            );
-            ConfigureGrafanaFirewallStep::new(Arc::clone(&ansible_client))
-                .execute()
-                .map_err(|e| (e.into(), current_step))?;
-        } else {
-            info!(
-                command = "configure",
-                step = "configure_grafana_firewall",
-                status = "skipped",
-                "Skipping Grafana firewall configuration (Grafana disabled)"
-            );
-        }
-
         // Transition to Configured state
         let configured = environment.clone().configured();
 

src/application/command_handlers/configure/handler.rs

@@ -39,8 +39,8 @@ pub use rendering::{
 };
 pub use software::{InstallDockerComposeStep, InstallDockerStep};
 pub use system::{
-    ConfigureFirewallStep, ConfigureGrafanaFirewallStep, ConfigureSecurityUpdatesStep,
-    ConfigureTrackerFirewallStep, WaitForCloudInitStep,
+    ConfigureFirewallStep, ConfigureSecurityUpdatesStep, ConfigureTrackerFirewallStep,
+    WaitForCloudInitStep,
 };
 pub use validation::{
     ValidateCloudInitCompletionStep, ValidateDockerComposeInstallationStep,

src/application/steps/mod.rs

@@ -9,7 +9,6 @@
  * - Automatic security updates configuration
  * - UFW firewall configuration
  * - Tracker firewall configuration
- * - Grafana firewall configuration
  *
  * Future steps may include:
  * - User account setup and management
@@ -18,13 +17,11 @@
  */
 
 pub mod configure_firewall;
-pub mod configure_grafana_firewall;
 pub mod configure_security_updates;
 pub mod configure_tracker_firewall;
 pub mod wait_cloud_init;
 
 pub use configure_firewall::ConfigureFirewallStep;
-pub use configure_grafana_firewall::ConfigureGrafanaFirewallStep;
 pub use configure_security_updates::ConfigureSecurityUpdatesStep;
 pub use configure_tracker_firewall::ConfigureTrackerFirewallStep;
 pub use wait_cloud_init::WaitForCloudInitStep;

src/application/steps/system/configure_grafana_firewall.rs

@@ -51,8 +51,6 @@ pub enum ConfigureStep {
     ConfigureFirewall,
     /// Configuring Tracker firewall rules
     ConfigureTrackerFirewall,
-    /// Configuring Grafana firewall rules
-    ConfigureGrafanaFirewall,
 }
 
 /// Error state - Application configuration failed

src/application/steps/system/mod.rs

@@ -307,7 +307,6 @@ impl AnsibleProjectGenerator {
             "configure-security-updates.yml",
             "configure-firewall.yml",
             "configure-tracker-firewall.yml",
-            "configure-grafana-firewall.yml",
             "create-tracker-storage.yml",
             "init-tracker-database.yml",
             "deploy-tracker-config.yml",