Update Ansible configuration and documentation to reflect new inventory structure. Migrate group_vars to inventory/group_vars/ and enhance README with updated paths for variable files, improving clarity for users.

ansible/README.md

@@ -8,7 +8,7 @@ Automates [`talos/CLUSTER-BUILD.md`](../talos/CLUSTER-BUILD.md): optional **Talo
 2. **Talos Phase A (automated):** run [`playbooks/talos_phase_a.yml`](playbooks/talos_phase_a.yml) **or** the full pipeline [`playbooks/deploy.yml`](playbooks/deploy.yml). This runs **`talhelper genconfig -o out`**, **`talosctl apply-config`** on each node, **`talosctl bootstrap`**, and **`talosctl kubeconfig`** → **`talos/kubeconfig`**.
 3. **Platform stack:** [`playbooks/noble.yml`](playbooks/noble.yml) (included at the end of **`deploy.yml`**).
 
-Your workstation must be able to reach **node IPs on the lab LAN** (Talos API **:50000** for `talosctl`, Kubernetes **:6443** for `kubectl` / Helm). If `kubectl` cannot reach the VIP (`192.168.50.230`), use `-e 'noble_k8s_api_server_override=https://<control-plane-ip>:6443'` on **`noble.yml`** (see `group_vars/all.yml`).
+Your workstation must be able to reach **node IPs on the lab LAN** (Talos API **:50000** for `talosctl`, Kubernetes **:6443** for `kubectl` / Helm). If `kubectl` cannot reach the VIP (`192.168.50.230`), use `-e 'noble_k8s_api_server_override=https://<control-plane-ip>:6443'` on **`noble.yml`** (see `inventory/group_vars/all.yml`).
 
 **One-shot full deploy** (after nodes are booted and reachable):
 
@@ -79,9 +79,9 @@ ansible-playbook playbooks/noble.yml --tags velero -e noble_velero_install=true
 ansible-playbook playbooks/noble.yml --tags authentik -e noble_authentik_install=true
 ```
 
-### Variables — `group_vars/all.yml` and role defaults
+### Variables — `inventory/group_vars/` and role defaults
 
-- **`group_vars/all.yml`:** **`noble_newt_install`**, **`noble_velero_install`**, **`noble_authentik_install`**, **`noble_cert_manager_require_cloudflare_secret`**, **`noble_argocd_apply_root_application`**, **`noble_argocd_apply_bootstrap_root_application`**, **`noble_k8s_api_server_override`**, **`noble_k8s_api_server_auto_fallback`**, **`noble_k8s_api_server_fallback`**, **`noble_skip_k8s_health_check`**
+- **`inventory/group_vars/all.yml`:** **`noble_newt_install`**, **`noble_velero_install`**, **`noble_authentik_install`**, **`noble_cert_manager_require_cloudflare_secret`**, **`noble_argocd_apply_root_application`**, **`noble_argocd_apply_bootstrap_root_application`**, **`noble_k8s_api_server_override`**, **`noble_k8s_api_server_auto_fallback`**, **`noble_k8s_api_server_fallback`**, **`noble_skip_k8s_health_check`**
 - **`roles/noble_platform/defaults/main.yml`:** **`noble_apply_sops_secrets`**, **`noble_sops_age_key_file`** (SOPS secrets under **`clusters/noble/secrets/`**)
 
 ## Roles
@@ -106,7 +106,7 @@ ansible-playbook playbooks/noble.yml --tags authentik -e noble_authentik_install
 These playbooks are separate from the Talos/noble flow and target hosts in `debian_servers`.
 
 1. Copy `inventory/debian.example.yml` to `inventory/debian.yml` and update hosts/users.
-2. Update `group_vars/debian_servers.yml` with your allowed SSH users and real public keys.
+2. Update `inventory/group_vars/debian_servers.yml` with your allowed SSH users and real public keys.
 3. Run with the Debian inventory:
 
 ```bash
@@ -128,7 +128,7 @@ ansible-playbook -i inventory/debian.yml playbooks/debian_ops.yml
 These playbooks are separate from the Talos/noble flow and target hosts in `proxmox_hosts`.
 
 1. Copy `inventory/proxmox.example.yml` to `inventory/proxmox.yml` and update hosts/users.
-2. Update `group_vars/proxmox_hosts.yml` with your cluster name (`proxmox_cluster_name`), chosen cluster master, and root public key file paths to install.
+2. Update `inventory/group_vars/proxmox_hosts.yml` with your cluster name (`proxmox_cluster_name`), chosen cluster master, and root public key file paths to install.
 3. First run (no SSH keys yet): use `--ask-pass` **or** set `ansible_password` (prefer Ansible Vault). Keep `ansible_ssh_common_args: "-o StrictHostKeyChecking=accept-new"` in inventory for first-contact hosts.
 4. Run prepare first to install your public keys on each host, then continue:
 

ansible/ansible.cfg

@@ -1,4 +1,6 @@
 [defaults]
+# Inventory lives under **inventory/** — place **group_vars/** next to the inventory file
+# (e.g. **inventory/group_vars/all.yml**) so variables apply to playbooks under **playbooks/**.
 inventory = inventory/localhost.yml
 roles_path = roles
 retry_files_enabled = False

ansible/inventory/group_vars/all.yml

@@ -28,4 +28,4 @@ noble_argocd_apply_root_application: true
 noble_argocd_apply_bootstrap_root_application: true
 
 # Authentik (OIDC IdP) + oauth2-proxy ForwardAuth — set **true** after **.env** has NOBLE_AUTHENTIK_* (see ansible/roles/noble_authentik/README.md).
-noble_authentik_install: false
+noble_authentik_install: true

ansible/roles/noble_authentik/README.md

@@ -5,7 +5,7 @@ Installs **Authentik** (Helm `goauthentik/authentik`) as the cluster IdP, **oaut
 ## Enable
 
 1. Copy repository **`.env.sample`** to **`.env`** and set every **`NOBLE_AUTHENTIK_*`** variable (see comments there).
-2. Set **`noble_authentik_install: true`** in **`ansible/group_vars/all.yml`** (or pass **`-e noble_authentik_install=true`**).
+2. Set **`noble_authentik_install: true`** in **`ansible/inventory/group_vars/all.yml`** (or pass **`-e noble_authentik_install=true`**).
 3. Run **`ansible-playbook playbooks/noble.yml --tags authentik`** (or a full **`noble.yml`**) from **`ansible/`** with a working **`KUBECONFIG`**.
 
 `noble_authentik` runs **after** **`noble_platform`** so Grafana / Headlamp / Prometheus exist before SSO Helm upgrades.

ansible/roles/noble_cert_manager/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-# Warn when **cloudflare-dns-api-token** is missing after apply (also set in **group_vars/all.yml** when loaded).
+# Warn when **cloudflare-dns-api-token** is missing after apply (also set in **inventory/group_vars/all.yml** when loaded).
 noble_cert_manager_require_cloudflare_secret: true
 
 # Helm --wait default (~5m) can expire while startupapicheck waits on webhooks / API (busy or slow pulls).

ansible/roles/noble_post_deploy/tasks/main.yml

@@ -11,6 +11,6 @@
     msg: >-
       App-of-apps: after **noble_platform**, noble.yml runs **noble_argocd** `applications_post_platform.yml`:
       root-application.yaml when noble_argocd_apply_root_application is true; bootstrap-root + **kubectl apply -k
-      argocd/app-of-apps** when noble_argocd_apply_bootstrap_root_application is true (group_vars/all.yml).
+      argocd/app-of-apps** when noble_argocd_apply_bootstrap_root_application is true (inventory/group_vars/all.yml).
       noble-bootstrap-root uses manual sync until you enable automation after the playbook —
       clusters/noble/bootstrap/argocd/README.md §5. See clusters/noble/apps/README.md and that README.

ansible/roles/noble_velero/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-# **noble_velero_install** is in **ansible/group_vars/all.yml**. Override S3 fields via extra-vars or group_vars.
+# **noble_velero_install** is in **ansible/inventory/group_vars/all.yml**. Override S3 fields via extra-vars or group_vars.
 noble_velero_chart_version: "12.0.0"
 
 noble_velero_s3_bucket: ""

clusters/noble/bootstrap/argocd/README.md

@@ -58,7 +58,7 @@ Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` o
 2. Optional add-on apps: add **`Application`** manifests under **`clusters/noble/apps/`** (see **`clusters/noble/apps/README.md`**).
 3. **Bootstrap kustomize** (namespaces, datasource, etc.): **`noble-bootstrap-root`** syncs **`clusters/noble/bootstrap`** (no **`argocd/app-of-apps/`** in that kustomization). Leaf **`Application`** manifests live under **`argocd/app-of-apps/`**; Ansible applies that directory **after** **`noble_platform`** Helm so Argo does not SSA charts first. The root app uses **manual** sync; each leaf app is **manual** until you enable automation (see **§5**).
 
-   **`ansible/playbooks/noble.yml`** (roles **`noble_argocd`** Helm, then **`noble_platform`** — which **include_role**s **`noble_argocd/applications_post_platform`** after Helm) when **`noble_argocd_apply_*`** flags are set in **`ansible/group_vars/all.yml`**.
+   **`ansible/playbooks/noble.yml`** (roles **`noble_argocd`** Helm, then **`noble_platform`** — which **include_role**s **`noble_argocd/applications_post_platform`** after Helm) when **`noble_argocd_apply_*`** flags are set in **`ansible/inventory/group_vars/all.yml`**.
 
    ```bash
    kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml

clusters/noble/bootstrap/authentik/values.yaml

@@ -37,11 +37,12 @@ server:
     ingressClassName: traefik
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt-prod
+    # Chart expects **strings** (FQDNs only); paths come from **server.ingress.paths** / **pathType**.
     hosts:
-      - host: auth.apps.noble.lab.pcenicni.dev
+      - auth.apps.noble.lab.pcenicni.dev
-        paths:
+    paths:
-          - path: /
+      - /
-            pathType: Prefix
+    pathType: Prefix
     tls:
       - secretName: authentik-apps-noble-tls
         hosts:

clusters/noble/bootstrap/velero/README.md

@@ -45,7 +45,7 @@ Or let **Ansible** create it from **`.env`** (`NOBLE_VELERO_AWS_ACCESS_KEY_ID`,
    - **`NOBLE_VELERO_S3_URL`** — S3 API base URL (e.g. `https://minio.lan:9000` or your VersityGW/MinIO endpoint)
    - **`NOBLE_VELERO_AWS_ACCESS_KEY_ID`** / **`NOBLE_VELERO_AWS_SECRET_ACCESS_KEY`** — credentials the AWS plugin uses (S3-compatible access key style)
 
-2. Enable the role: set **`noble_velero_install: true`** in **`ansible/group_vars/all.yml`**, **or** pass **`-e noble_velero_install=true`** on the command line.
+2. Enable the role: set **`noble_velero_install: true`** in **`ansible/inventory/group_vars/all.yml`**, **or** pass **`-e noble_velero_install=true`** on the command line.
 
 3. Run from **`ansible/`** (adjust **`KUBECONFIG`** to your cluster admin kubeconfig):
 
@@ -73,7 +73,7 @@ ansible-playbook playbooks/noble.yml
 
 ## Install (Ansible) — details
 
-1. Set **`noble_velero_install: true`** in **`ansible/group_vars/all.yml`** (or pass **`-e noble_velero_install=true`**).
+1. Set **`noble_velero_install: true`** in **`ansible/inventory/group_vars/all.yml`** (or pass **`-e noble_velero_install=true`**).
 2. Set **`noble_velero_s3_bucket`** and **`noble_velero_s3_url`** via **`.env`** (**`NOBLE_VELERO_S3_*`**) or **`group_vars`** or **`-e`**. Extra-vars override **`.env`**. Optional: **`noble_velero_s3_region`**, **`noble_velero_s3_prefix`**, **`noble_velero_s3_force_path_style`** (defaults match `values.yaml`).
 3. Run **`ansible/playbooks/noble.yml`** (Velero runs after **`noble_platform`**).
 

clusters/noble/secrets/README.md

@@ -29,7 +29,7 @@ export SOPS_AGE_KEY_FILE=/absolute/path/to/home-server/age-key.txt
 sops -d clusters/noble/secrets/newt-pangolin-auth.secret.yaml | kubectl apply -f -
 ```
 
-**Ansible** (`noble.yml`) runs the same decrypt-and-apply step for every `*.yaml` in this directory when **`age-key.txt`** exists and **`noble_apply_sops_secrets`** is true (see `ansible/group_vars/all.yml`).
+**Ansible** (`noble.yml`) runs the same decrypt-and-apply step for every `*.yaml` in this directory when **`age-key.txt`** exists and **`noble_apply_sops_secrets`** is true (see `ansible/inventory/group_vars/all.yml` via **`noble_platform`** defaults).
 
 ## Files