feat(k3s): replace nginx loadbalancer with kube-vip for control-plane HA

Deploys kube-vip as a DaemonSet on all k3s server nodes, advertising a
VIP (192.168.20.2) via ARP. Eliminates the single-point-of-failure
k3s-loadbalancer VM.

- New kube_vip role: RBAC + DaemonSet templates, TLS SAN cert rotation
- playbooks/kube-vip.yaml: migration playbook (serial=1, idempotent)
- Updated k3s install tasks (server primary/secondary, agent) to use k3s_vip
  instead of the loadbalancer VM IP
- Added k3s_vip: 192.168.20.2 to group_vars (below DHCP range .11-.250)

Migration steps in playbook header comment.

roles/k3s_server/tasks/primary_installation.yaml

@@ -8,7 +8,7 @@
 - name: Install K3s server with and TLS SAN
   ansible.builtin.command: |
     /tmp/k3s_install.sh server \
-    --cluster-init
-    --tls-san {{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }} \
+    --cluster-init \
+    --tls-san {{ k3s_vip }} \
     --tls-san {{ k3s_server_name }}
   become: true

roles/k3s_server/tasks/secondary_installation.yaml

@@ -13,8 +13,8 @@
 - name: Install K3s on the secondary servers
   ansible.builtin.command: |
     /tmp/k3s_install.sh \
-    --server "https://{{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }}:{{ k3s.loadbalancer.default_port }}" \
-    --tls-san {{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }} \
+    --server "https://{{ k3s_vip }}:{{ k3s.loadbalancer.default_port }}" \
+    --tls-san {{ k3s_vip }} \
     --tls-san {{ k3s_server_name }}
   environment:
     K3S_TOKEN: "{{ k3s_token_vault.k3s_token }}"