feat(k3s): replace nginx loadbalancer with kube-vip for control-plane HA

Deploys kube-vip as a DaemonSet on all k3s server nodes, advertising a
VIP (192.168.20.2) via ARP. Eliminates the single-point-of-failure
k3s-loadbalancer VM.

- New kube_vip role: RBAC + DaemonSet templates, TLS SAN cert rotation
- playbooks/kube-vip.yaml: migration playbook (serial=1, idempotent)
- Updated k3s install tasks (server primary/secondary, agent) to use k3s_vip
  instead of the loadbalancer VM IP
- Added k3s_vip: 192.168.20.2 to group_vars (below DHCP range .11-.250)

Migration steps in playbook header comment.

playbooks/kube-vip.yaml

@@ -0,0 +1,18 @@
+---
+# Deploys kube-vip on all k3s server nodes and adds the VIP to their TLS SANs.
+#
+# Migration steps (run once):
+#   1. ansible-playbook playbooks/kube-vip.yaml
+#   2. Update DNS: k3s.seyshiro.de → 192.168.20.2
+#   3. Verify: kubectl get nodes (should work via VIP)
+#   4. Decommission k3s-loadbalancer VM when satisfied
+#
+# The playbook is idempotent — re-running it after migration is safe.
+- name: Deploy kube-vip on k3s server nodes
+  hosts: k3s_server
+  gather_facts: true
+  serial: 1
+  roles:
+    - role: kube_vip
+      tags:
+        - kube_vip