feat(sunken-ship): retire Cloudflare Tunnel for navidrome ☁️💥

Stage 4d of the clan migration. Navidrome is now reachable only over
the ZeroTier mesh (port 4533 on sunken-ship's ZT IPv6 address, or via
the sunken-ship-zt SSH alias). Dropped:

- systemd.services.cloudflare-tunnel
- clan.core.vars.generators.cloudflare-tunnel
- cloudflared from environment.systemPackages
- vars/per-machine/sunken-ship/cloudflare-tunnel/

Manual follow-ups still needed on sunken-ship:
- rm /home/danny/.secrets/cloudflare-tunnel-token  (old unmanaged token)
- delete the tunnel itself in the Cloudflare Zero Trust dashboard
- unlink the DNS record music.dannydannydanny.me if it was separate

nixos/hosts/sunken-ship.nix

@@ -60,7 +60,6 @@
     brightnessctl # manual backlight; replaces removed `light` from nixpkgs
     uxplay # AirPlay mirroring receiver
     alsa-utils # aplay, amixer, arecord for audio debugging
-    cloudflared # Cloudflare Tunnel for external access
   ];
 
   # Avahi (mDNS) — required for AirPlay discovery.
@@ -95,38 +94,11 @@
     options = [ "bind" "ro" ];
   };
 
-  # Cloudflare Tunnel — exposes services to the internet without port forwarding.
-  # Token managed as a clan var (see generator below); prompted interactively
-  # on first `clan vars generate` and stored SOPS-encrypted under vars/.
-  # Routes configured in Cloudflare Zero Trust dashboard:
-  #   music.dannydannydanny.me → http://localhost:4533
-  # Scheduled for retirement in stage 4d — ZeroTier-only access after that.
-  clan.core.vars.generators.cloudflare-tunnel = {
-    files.tunnel-token = {
-      secret = true;
-      deploy = true;
-      owner = "danny";
-    };
-    prompts.tunnel-token = {
-      description = "Cloudflare Tunnel token (Zero Trust dashboard → Networks → Tunnels → your tunnel → refresh token)";
-      type = "hidden";
-      persist = true;
-    };
-    script = "cp $prompts/tunnel-token $out/tunnel-token";
-  };
-
-  systemd.services.cloudflare-tunnel = {
-    description = "Cloudflare Tunnel for sunken-ship";
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      ExecStart = "/bin/sh -c '${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token $(cat ${config.clan.core.vars.generators.cloudflare-tunnel.files.tunnel-token.path})'";
-      Restart = "on-failure";
-      RestartSec = 10;
-      User = "danny";
-    };
-  };
+  # Navidrome is now reachable only over the ZeroTier mesh — see the
+  # sunken-ship-zt SSH alias on the mac, or hit http://[fdd5:53a2:de33:
+  # d269:6499:93d5:53a2:de33]:4533 directly from any ZT-joined device.
+  # The Cloudflare Tunnel + its clan vars generator were retired in 4d;
+  # delete the tunnel itself in the Cloudflare Zero Trust dashboard.
 
   # UxPlay AirPlay receiver — audio-only, outputs directly to Scarlett Solo via ALSA.
   # Runs as a system service (no PipeWire needed on a headless server).

vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/machines/sunken-ship

@@ -1 +0,0 @@
-../../../../../../sops/machines/sunken-ship

vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/secret

@@ -1,18 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:+8Hm6/7+GXwltfCX9L4mEJP6mde8+a+kubvfjm+kIHTmd7uacrcO4LLJD43cSPUA04Enz/+gMEY1OGHKOsuOEu16UdGU6Msmh+J+gjtqQRjTXwitoLCJDAb5u785IcqhL9j0dyP0bwCV+NRIZ95n/YXaI9ykDgVKSWLzHgVFXRfXeG8Nbjvc7yJ77yFxXgszwzZTb4NLYl2+JC0zEhVBagSv6uJbFxuABd1tq+gpGTfOy/dWIoF8JvDuX9oKkpbQefRN606oHyOFjrXq19Z2cVvkyp8+WLZixKG+8lzBCot/htEqj4eS4w11rys88CVTWXPuKc2atJE=,iv:0saZY5dGAnDFYpTTgPi10ulF0TCtIwI6PLwxt0Wm9MQ=,tag:ugBpe40mpI1VsLgwLR24CQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1g6y8gvcampqj5y3yzdajke2h5n7k6ckdg6a424cghy5325px7cmqjmmd28",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cE9hVUtKUU1la0w2YmtF\nc1RyNEM5c2t4cEZBU242bHhzNUl5WVB0Qkc4CkRhNlk1ZG9NSDdxOUUxaW5RajQx\naW5McFlCNmN2dmxRdDM0WGNQbUJYZk0KLS0tIDRMSFpGUlk5ZDVFanZvZkZrN1Fz\na0ZXa1dnNFkzOGtDYS9rcE5Zd2VXTVUKA1bV5ERPVOo4jRnZEt4A7HECyid2UomQ\nD1nc95fPZgy5tEpL/P2SveEitOsk9HEdvudxvWdHtnUbD4GdFIftEQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1zy3q73pujauyajgfqwu0pnyy8732lzwvw87tu7p2xg3xuzaujc2qh6ql77",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldDYrQ0NSdHBkampCdG1k\na21DK0JyMmttYllnRkJLUWJQUXFmZzJqT3pZCnB0Z0puVGdEU0NGVEVCNmQ3TDFt\nRG9ZdTgyZldhRGl6bUVESmVISEFnUEkKLS0tIHJWWGtpU3dkL25LbWttUk96ZTJD\ncWVQMmZkclptM2RBWC9PZldaM2RlM0EKOg+Yn+Lq/6fUrVlXP+C8EdpGouyBM3Jk\nspZvUN4+nTD3zcIEz/pW42Q13icXcBj+3AA4Dz2awiO+00xhwPxerA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2026-04-19T19:05:26Z",
-		"mac": "ENC[AES256_GCM,data:bUQ2ZtBkaxpGLSvYTQOtutY6R0+2SWj3PoICgr/tN+sRbO2rAJSblUzbUwdfwZhHbHt05lPYmskvzfBmPc9X3FDeKJvxc8+W183EonuJRG4k2/irH0mTL1wTw+2ziFHQA6x+UpPDvmb1q06sB0ftEF3EoKgiPdsBQjdVVhb+BZs=,iv:wurrdazSS9sdh6RD1zkNPmb7503aksTr7fgVBVo91ZQ=,tag:7q/UypkYosmrMPbUE+y8Pw==,type:str]",
-		"version": "3.12.2"
-	}
-}

vars/per-machine/sunken-ship/cloudflare-tunnel/tunnel-token/users/danny

@@ -1 +0,0 @@
-../../../../../../sops/users/danny