Document undocumented services on london-a

Audit of london-a rc.conf found several services running but not
captured in host_vars or docs: cloudflared, InfluxDB, Redis,
PostgreSQL, and libvirtd.

- InfluxDB: only _internal db, completely unused
- Redis: empty keyspace, unused
- PostgreSQL: has pez_vps db from a dead project, needs data review
- libvirtd: zero VMs, related to same dead project
- cloudflared: running tunnel 168eccae, config now captured

Also documented the weekly ZFS scrub cron (Sundays at noon) which
is in root's crontab but not ansible-managed.

Ref: PESO-101

ansible/inventory/host_vars/london-a.yml

@@ -7,3 +7,39 @@ grafana_provisioning_dir: /usr/local/share/grafana/conf/provisioning
 
 zfs_pools:
   - zroot
+
+# ZFS scrub schedule (currently manual cron, not yet managed by ansible)
+# 0 12 * * sun zpool scrub zroot
+zfs_scrub_schedule: "0 12 * * 0"
+
+# --- Services enabled in rc.conf ---
+
+# Core services (documented)
+# sshd, ntpd, powerd, zfs, tailscaled, grafana, prometheus, node_exporter
+
+# Cloudflare Tunnel — proxies Grafana/Prometheus via pez.sh
+cloudflared_tunnel_id: "168eccae-2497-48e2-a1e2-c12cd3448d9a"
+
+# --- Undocumented / likely unused services (audit 2026-03-30) ---
+# These were found running but appear unused. Candidates for removal.
+
+# InfluxDB — listening on *:8086, only _internal database exists.
+# No user databases. Probably installed for testing and never used.
+# RECOMMENDATION: disable (influxd_enable="NO" in rc.conf)
+undocumented_influxdb: "unused — no databases, disable"
+
+# Redis — listening on localhost:6379, empty keyspace.
+# No clients connected. No data.
+# RECOMMENDATION: disable (redis_enable="NO" in rc.conf)
+undocumented_redis: "unused — empty keyspace, disable"
+
+# PostgreSQL — listening on localhost:5432, has a pez_vps database
+# with tables: vms, snapshots, ip_addresses, users, audit_logs, isos.
+# Appears to be from a defunct VPS management project (Rust/sqlx).
+# RECOMMENDATION: confirm with Pez before removing data, then disable
+undocumented_postgresql: "defunct pez_vps project — confirm before disabling"
+
+# libvirtd — running, zero VMs defined.
+# Likely installed for the same pez_vps project.
+# RECOMMENDATION: disable (libvirtd_enable="NO" in rc.conf)
+undocumented_libvirtd: "unused — no VMs, disable"

ansible/services/cloudflared/london-a/cloudflared.yml

@@ -0,0 +1,3 @@
+tunnel: 168eccae-2497-48e2-a1e2-c12cd3448d9a
+protocol: http2
+credentials-file: /root/.cloudflared/168eccae-2497-48e2-a1e2-c12cd3448d9a.json

docs/hosts/london-a.md

@@ -23,12 +23,31 @@ Old gaming PC, now perfectly happy as a monitoring host. Very lightly loaded —
 
 ## Services
 
-| Service | Port | URL |
-|---------|------|-----|
-| Prometheus | 9090 | prometheus.pez.sh |
-| Grafana | 3000 | grafana.pez.sh |
+| Service | Port | Status | Notes |
+|---------|------|--------|-------|
+| Prometheus | 9090 | Active | prometheus.pez.sh |
+| Grafana | 3000 | Active | grafana.pez.sh |
+| node_exporter | 9100 | Active | Metrics exporter |
+| cloudflared | — | Active | Tunnel 168eccae-... proxying Grafana/Prometheus |
+| Tailscale | — | Active | Mesh networking |
 
-Both are behind Authelia (auth handled by Caddy on helsinki-a).
+Both Prometheus and Grafana are behind Authelia (auth handled by Caddy on helsinki-a).
+
+### Unused services (audit 2026-03-30)
+
+These services are enabled in rc.conf but appear unused. Pending cleanup.
+
+| Service | Port | Finding |
+|---------|------|---------|
+| InfluxDB | 8086 (all interfaces!) | Only `_internal` database — never used. Listening on `*:8086` is also a security concern. |
+| Redis | 6379 (localhost) | Empty keyspace, no clients. |
+| PostgreSQL | 5432 (localhost) | Has `pez_vps` database from a defunct VPS management project. Data may need backup before removal. |
+| libvirtd | — | Zero VMs. Installed for the same pez_vps project. |
+
+## ZFS
+
+- Pool: `zroot`
+- Weekly scrub: `0 12 * * sun zpool scrub zroot` (root crontab, not ansible-managed yet)
 
 ## Why FreeBSD