revert: switch back to HTTP-01 until Cloudflare NS propagation

DNS-01 + wildcard cert requires Cloudflare to be authoritative NS.
Until propagation completes, use httpChallenge on port 80.

Plan after Cloudflare NS is active:
1. Switch back to dnsChallenge in traefik.yml.j2
2. Re-enable tls.stores.default.defaultGeneratedCert in routes.yml.j2
3. Clear acme.json → Traefik issues *.csrx.ru wildcard cert

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/services/templates/traefik/dynamic/routes.yml.j2

@@ -1,18 +1,8 @@
 # Traefik dynamic routing config — generated by Ansible
 # Do not edit manually; re-run ansible-playbook deploy.yml
 
-# ── Wildcard TLS certificate via Cloudflare DNS-01 ────────────────────────────
-# One cert covers ALL *.csrx.ru subdomains + root csrx.ru.
-# Adding a new service = zero cert wait time, Traefik reuses this cert.
-tls:
-  stores:
-    default:
-      defaultGeneratedCert:
-        resolver: letsencrypt
-        domain:
-          main: "*.{{ domain_base }}"
-          sans:
-            - "{{ domain_base }}"
+# NOTE: wildcard cert (*.csrx.ru) будет включён после переноса NS на Cloudflare.
+# Тогда переключим ACME на dnsChallenge и добавим tls.stores.default.defaultGeneratedCert
 
 http:
   routers:

roles/services/templates/traefik/traefik.yml.j2

@@ -93,12 +93,9 @@ certificatesResolvers:
     acme:
       email: "{{ acme_email }}"
       storage: /acme/acme.json
-      dnsChallenge:
-        provider: cloudflare
-        # Use Cloudflare DNS resolvers to avoid propagation delays
-        resolvers:
-          - "1.1.1.1:53"
-          - "1.0.0.1:53"
+      # TODO: switch to dnsChallenge after Cloudflare NS propagation
+      httpChallenge:
+        entryPoint: web
 
 providers:
   file: