docs: полная документация проекта — docs/ и README.md для каждого аддона

- README.md: перепиcан как компактный обзор (98 строк) с навигацией по docs/
- docs/: 13 файлов — getting-started, architecture, configuration, addons,
  storage, security, cicd, observability, networking, operations,
  make-reference, molecule-testing, troubleshooting
- addons/*/README.md: 31 новый файл — описание, параметры, примеры кода
  для каждого из 34 аддонов (vault и external-secrets уже существовали)

docs/configuration.md

@@ -0,0 +1,233 @@
+# Настройка кластера
+
+Все параметры — в `group_vars/all/main.yml` и `group_vars/all/addons.yml`. Секреты — в `group_vars/all/vault.yml`.
+
+## K3S
+
+```yaml
+k3s_version: "v1.29.3+k3s1"
+k3s_cluster_cidr: "10.42.0.0/16"
+k3s_service_cidr: "10.43.0.0/16"
+k3s_flannel_backend: "vxlan"   # vxlan | wireguard-native | host-gw (только Flannel)
+k3s_cni: "flannel"             # flannel | calico | cilium
+
+# Пути (изменены с /var/lib/rancher):
+k3s_config_dir: /etc/kubernetes/k3s
+k3s_data_dir: /var/lib/kubernetes/k3s
+```
+
+## kube-vip
+
+```yaml
+kube_vip_address: "192.168.1.100"   # ОБЯЗАТЕЛЬНО: свободный IP
+kube_vip_interface: ""              # пусто = авто через ansible_default_ipv4.interface
+kube_vip_mode: "arp"                # arp (L2) | bgp (L3)
+kube_vip_services_enable: true      # LoadBalancer сервисы
+```
+
+## NFS / CSI
+
+```yaml
+nfs_exports:
+  - path: /storage/nfs
+    options: "*(rw,sync,no_subtree_check,no_root_squash)"
+nfs_allowed_network: "192.168.1.0/24"
+
+csi_nfs_server: "{{ hostvars[groups['nfs_server'][0]]['ansible_host'] }}"
+csi_nfs_share: "/storage/nfs"
+csi_nfs_reclaim_policy: "Delete"   # Delete | Retain
+```
+
+## ingress-nginx
+
+```yaml
+ingress_nginx_service_type: "LoadBalancer"
+ingress_nginx_load_balancer_ip: ""   # авто от kube-vip
+ingress_nginx_class_name: "nginx"
+ingress_nginx_set_default_class: true
+
+# Кастомная страница ошибок:
+ingress_nginx_custom_errors_enabled: true
+ingress_nginx_error_cluster_name: "K3S Cluster"
+```
+
+## Bootstrap — первичная настройка нод
+
+```yaml
+k3s_admin_user: devops   # пользователь создаётся на всех нодах
+ansible_user: "{{ k3s_admin_user }}"
+ansible_ssh_private_key_file: "~/.ssh/id_rsa"
+
+k3s_admin_ssh_public_key_files:
+  - /root/.ssh/id_ed25519.pub
+```
+
+## Сервисные пользователи
+
+```yaml
+cluster_service_users:
+  - name: devops
+    sudo: true
+    shell: /bin/bash
+    key_type: rsa
+    key_bits: 4096
+```
+
+Для каждого пользователя создаётся RSA 4096 пара, `authorized_keys`, sudo NOPASSWD. Ключи → `./keys/<user>_id_rsa`.
+
+## Chrony — синхронизация времени
+
+```yaml
+chrony_timezone: "Europe/Moscow"
+chrony_ntp_servers:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+```
+
+## Ротация сертификатов K3S
+
+```yaml
+k3s_cert_auto_rotate: true
+k3s_cert_validity_years: 5
+k3s_cert_rotate_before_days: 90
+k3s_cert_check_schedule: "monthly"
+```
+
+## Индивидуальные настройки нод (host_vars/)
+
+**master01:**
+```yaml
+k3s_node_labels:
+  - "node-role=master"
+  - "disk-type=ssd"
+```
+
+**rpi01:**
+```yaml
+k3s_node_taints:
+  - "node-type=raspberry-pi:NoSchedule"
+k3s_extra_server_args: |
+  kubelet-arg:
+    - "kube-reserved=cpu=50m,memory=128Mi"
+```
+
+Снять taint с RPi:
+```yaml
+k3s_node_taints: []
+```
+
+## cert-manager
+
+```yaml
+addon_cert_manager: true
+cert_manager_issuer: "letsencrypt"   # none | selfsigned | letsencrypt
+cert_manager_acme_email: "admin@example.com"
+cert_manager_default_issuer_name: "letsencrypt-prod"
+```
+
+Аннотация на Ingress:
+```yaml
+annotations:
+  cert-manager.io/cluster-issuer: "letsencrypt-prod"
+```
+
+## Ansible Vault
+
+```bash
+make vault-create     # Создать
+make vault-edit       # Редактировать
+make vault-view       # Просмотреть
+make vault-encrypt-string STR="токен" NAME="vault_my_var"
+```
+
+Обязательные секреты:
+```yaml
+vault_k3s_token: "xxx"
+vault_grafana_user: "admin"
+vault_grafana_password: "пароль"
+```
+
+## CNI — Calico
+
+```yaml
+k3s_cni: "calico"
+calico_version: "v3.28.0"
+calico_encapsulation: "VXLAN"   # VXLAN | IPIP | None
+```
+
+## CNI — Cilium
+
+```yaml
+k3s_cni: "cilium"
+cilium_version: "1.15.5"
+cilium_hubble_enabled: true
+cilium_hubble_ui_enabled: false
+```
+
+## Примеры манифестов
+
+### Приложение с Ingress + TLS + NFS
+
+```yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: app-data
+spec:
+  accessModes: [ReadWriteMany]
+  storageClassName: nfs-master01
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-app
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts: [myapp.example.com]
+      secretName: myapp-tls
+  rules:
+    - host: myapp.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: my-app
+                port:
+                  number: 80
+```
+
+### Приложение только на x86 нодах
+
+```yaml
+spec:
+  template:
+    spec:
+      nodeSelector:
+        node-type: x86_64
+```
+
+### ServiceMonitor для Prometheus
+
+```yaml
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: my-app
+  labels:
+    release: prom
+spec:
+  selector:
+    matchLabels:
+      app: my-app
+  endpoints:
+    - port: metrics
+      interval: 30s
+```