Drop Cloudflare DNS TLS block from Caddy vhost

Remove the tls { dns cloudflare ... } directive and fall back to
Caddy's default automatic HTTPS (HTTP-01 / TLS-ALPN). The
Cloudflare DNS plugin was causing issues during cert provisioning;
standard ACME works fine as long as port 80/443 reach the server.

Also drop the now-unused cloudflare_token variable from group_vars.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ansible/group_vars/all.yml

@@ -5,10 +5,7 @@ deploy_dir: /var/www/e-auth
 auth_domain: auth.e-cosplay.fr
 keycloak_local_port: 9450
 
-# Caddy (assumed already installed with the caddy-dns/cloudflare plugin
-# and configured to load per-site files from /etc/caddy/sites/*.conf)
+# Caddy (assumed already installed and configured to load per-site
+# files from /etc/caddy/sites/*.conf). TLS is handled by Caddy's
+# default ACME flow (HTTP-01 / TLS-ALPN), no Cloudflare DNS plugin.
 caddy_site_file: /etc/caddy/sites/e-auth.conf
-
-# Cloudflare API token consumed by the caddy-dns/cloudflare plugin
-# for the ACME DNS-01 challenge.
-cloudflare_token: cfat_rIHZqzCm9GKK3xVnQDNGfu6J91TseIDdTKeuWSFUdf6ccd31

ansible/templates/e-auth.conf.j2

@@ -2,10 +2,6 @@
 # Reverse proxy for {{ auth_domain }} -> local Keycloak container on :{{ keycloak_local_port }}
 
 {{ auth_domain }} {
-    tls {
-        dns cloudflare {{ cloudflare_token }}
-    }
-
     encode gzip zstd
 
     reverse_proxy 127.0.0.1:{{ keycloak_local_port }}