telegraf: run as root + bypass gosu drop to read docker.sock GID-independently

The container ran as user 0:994 and accessed the docker socket via group
membership, but the host docker group GID is auto-assigned and varies per
host (e.g. uk-8 is 988, not 994), so the hardcoded gid silently breaks
telegraf's docker input wherever it differs (uk-8 was in a restart loop:
permission denied on /var/run/docker.sock). Run as root (0:0) with
entrypoint [telegraf] to skip the image's gosu privilege-drop, so telegraf
reads the socket as its owner regardless of the host docker gid. Works
uniformly fleet-wide; no regression on hosts where the gid happened to match.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

monitoring.yml

@@ -169,7 +169,12 @@ services:
 
   telegraf:
     image: telegraf:latest
-    user: "0:994"
+    # Run as root and bypass the image's gosu privilege-drop so telegraf reads the
+    # docker socket as its OWNER (root). Avoids hardcoding the host docker group GID,
+    # which is auto-assigned and varies per host (e.g. 994 vs 988) - a hardcoded gid
+    # silently breaks telegraf's docker input wherever the gid differs.
+    user: "0:0"
+    entrypoint: ["telegraf"]
     container_name: telegraf
     restart: unless-stopped
     networks: