Update Ansible configuration and documentation to reflect new inventory structure. Migrate group_vars to inventory/group_vars/ and enhance README with updated paths for variable files, improving clarity for users.

clusters/noble/bootstrap/argocd/README.md

@@ -58,7 +58,7 @@ Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` o
 2. Optional add-on apps: add **`Application`** manifests under **`clusters/noble/apps/`** (see **`clusters/noble/apps/README.md`**).
 3. **Bootstrap kustomize** (namespaces, datasource, etc.): **`noble-bootstrap-root`** syncs **`clusters/noble/bootstrap`** (no **`argocd/app-of-apps/`** in that kustomization). Leaf **`Application`** manifests live under **`argocd/app-of-apps/`**; Ansible applies that directory **after** **`noble_platform`** Helm so Argo does not SSA charts first. The root app uses **manual** sync; each leaf app is **manual** until you enable automation (see **§5**).
 
-   **`ansible/playbooks/noble.yml`** (roles **`noble_argocd`** Helm, then **`noble_platform`** — which **include_role**s **`noble_argocd/applications_post_platform`** after Helm) when **`noble_argocd_apply_*`** flags are set in **`ansible/group_vars/all.yml`**.
+   **`ansible/playbooks/noble.yml`** (roles **`noble_argocd`** Helm, then **`noble_platform`** — which **include_role**s **`noble_argocd/applications_post_platform`** after Helm) when **`noble_argocd_apply_*`** flags are set in **`ansible/inventory/group_vars/all.yml`**.
 
    ```bash
    kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml

clusters/noble/bootstrap/authentik/values.yaml

@@ -37,11 +37,12 @@ server:
     ingressClassName: traefik
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt-prod
+    # Chart expects **strings** (FQDNs only); paths come from **server.ingress.paths** / **pathType**.
     hosts:
-      - host: auth.apps.noble.lab.pcenicni.dev
-        paths:
-          - path: /
-            pathType: Prefix
+      - auth.apps.noble.lab.pcenicni.dev
+    paths:
+      - /
+    pathType: Prefix
     tls:
       - secretName: authentik-apps-noble-tls
         hosts:

clusters/noble/bootstrap/velero/README.md

@@ -45,7 +45,7 @@ Or let **Ansible** create it from **`.env`** (`NOBLE_VELERO_AWS_ACCESS_KEY_ID`,
    - **`NOBLE_VELERO_S3_URL`** — S3 API base URL (e.g. `https://minio.lan:9000` or your VersityGW/MinIO endpoint)
    - **`NOBLE_VELERO_AWS_ACCESS_KEY_ID`** / **`NOBLE_VELERO_AWS_SECRET_ACCESS_KEY`** — credentials the AWS plugin uses (S3-compatible access key style)
 
-2. Enable the role: set **`noble_velero_install: true`** in **`ansible/group_vars/all.yml`**, **or** pass **`-e noble_velero_install=true`** on the command line.
+2. Enable the role: set **`noble_velero_install: true`** in **`ansible/inventory/group_vars/all.yml`**, **or** pass **`-e noble_velero_install=true`** on the command line.
 
 3. Run from **`ansible/`** (adjust **`KUBECONFIG`** to your cluster admin kubeconfig):
 
@@ -73,7 +73,7 @@ ansible-playbook playbooks/noble.yml
 
 ## Install (Ansible) — details
 
-1. Set **`noble_velero_install: true`** in **`ansible/group_vars/all.yml`** (or pass **`-e noble_velero_install=true`**).
+1. Set **`noble_velero_install: true`** in **`ansible/inventory/group_vars/all.yml`** (or pass **`-e noble_velero_install=true`**).
 2. Set **`noble_velero_s3_bucket`** and **`noble_velero_s3_url`** via **`.env`** (**`NOBLE_VELERO_S3_*`**) or **`group_vars`** or **`-e`**. Extra-vars override **`.env`**. Optional: **`noble_velero_s3_region`**, **`noble_velero_s3_prefix`**, **`noble_velero_s3_force_path_style`** (defaults match `values.yaml`).
 3. Run **`ansible/playbooks/noble.yml`** (Velero runs after **`noble_platform`**).