Update .env.sample and Ansible configurations to enhance Pangolin Integration API setup. Add detailed comments for environment variables and clarify usage in README. Implement HTTP-01 challenge support in cert-manager configurations for Let's Encrypt, ensuring proper resource management for domain validation.

.env.sample

@@ -13,12 +13,16 @@ NEWT_ID=
 NEWT_SECRET=
 
 # Optional: Pangolin Integration API — automate public HTTP resources + Traefik targets (**noble_pangolin_sync_http_resources=true** in **group_vars**; see **clusters/noble/bootstrap/newt/README.md** §4).
-# NOBLE_PANGOLIN_API_BASE=https://api.your-pangolin.example/v1
+# NOBLE_PANGOLIN_API_BASE=https://api.example.com/v1  # Integration API — separate host from the main Pangolin UI; see clusters/noble/bootstrap/newt/README.md §4
 # NOBLE_PANGOLIN_ORG_ID=
-# NOBLE_PANGOLIN_API_TOKEN=
-# NOBLE_PANGOLIN_SITE_ID=
+# NOBLE_PANGOLIN_API_TOKEN=   # **apiKeyId.apiKeySecret** (one value, dot in the middle) from Organization → API keys — **not** login password; browser cookies do not apply. Alternatively: secret only here + **NOBLE_PANGOLIN_API_KEY_ID** below.
+# NOBLE_PANGOLIN_API_KEY_ID=   # optional; if set, **NOBLE_PANGOLIN_API_TOKEN** may be the secret half only
+# NOBLE_PANGOLIN_SITE_ID=   # numeric siteId, or Pangolin **niceId** (Sites UI slug, e.g. unruly-asian-badger)
 # NOBLE_PANGOLIN_TRAEFIK_IP=192.168.50.211
 # NOBLE_PANGOLIN_TRAEFIK_PORT=443
+# Self-signed Integration API TLS: either trust your CA (preferred) or homelab-only skip verify:
+# NOBLE_PANGOLIN_CA_BUNDLE=/path/to/ca.pem
+# NOBLE_PANGOLIN_INSECURE_SKIP_TLS_VERIFY=true
 
 # Velero — when **noble_velero_install=true**, set bucket + S3 API URL and credentials (see clusters/noble/bootstrap/velero/README.md).
 NOBLE_VELERO_S3_BUCKET=