security(nginx): remove dead Grafana service-account token from committed config

The glsa_ token on the /grafana/ location was committed to a public repo.
Verified dead: Grafana's service-account and api_key tables are empty (the
data dir is ephemeral container storage, so the SA was wiped on a past
recreate) and an arbitrary invalid bearer gets identical 200 responses —
panel embeds are actually served by anonymous Viewer auth
(GF_AUTH_ANONYMOUS_ENABLED=true). The header was a no-op; removing it
changes no behavior and removes the credential from the config.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

nginx/overlord.conf

@@ -14,8 +14,12 @@
 #     WebSockets are long-lived; nginx's default 60s timeout drops idle clients.
 #     Removing these timeouts caused all plugin connections to drop every
 #     ~60s when no data flowed from backend to client (April 2026 incident).
-#   - Bearer token in /grafana/ proxy_set_header is a Grafana service account
+#   - /grafana/ panel embeds rely on Grafana's anonymous Viewer auth
-#     token used for anonymous panel embeds. Rotate when credentials leak.
+#     (GF_AUTH_ANONYMOUS_ENABLED=true in docker-compose.yml) — no credentials
+#     in this file. Do NOT hardcode tokens here: this file is committed to a
+#     public repo, and Grafana's state DB is ephemeral container storage, so
+#     service-account tokens get orphaned on every container recreate. A
+#     previously committed (long-dead) token was removed in June 2026.
 
 server {
     listen 443 ssl;
@@ -108,7 +112,6 @@ server {
         proxy_set_header       X-Real-IP         $remote_addr;
         proxy_set_header       X-Forwarded-For   $proxy_add_x_forwarded_for;
         proxy_set_header       X-Forwarded-Proto $scheme;
-        proxy_set_header       Authorization     "Bearer glsa_AcDTcN5CUX9h5Bi2ipmVAs6g1FRTSIWk_8b81cf99";
         proxy_set_header       Upgrade           $http_upgrade;
         proxy_set_header       Connection        "upgrade";
         proxy_cache_bypass     $http_upgrade;