feat: migrate cluster baseline from Hetzner to Proxmox

Replace Hetzner infrastructure and cloud-provider assumptions with Proxmox
VM clones, kube-vip API HA, and NFS-backed storage. Update bootstrap,
Flux addons, CI workflows, and docs to target the new private Proxmox
baseline while preserving the existing Tailscale, Doppler, Flux, Rancher,
and B2 backup flows.

terraform/variables.tf

@@ -1,19 +1,13 @@
-variable "hcloud_token" {
-  description = "Hetzner Cloud API token"
-  type        = string
-  sensitive   = true
-}
-
 variable "ssh_public_key" {
   description = "Path to SSH public key"
   type        = string
-  default     = "~/.ssh/id_ed25519.pub"
+  default     = "~/.ssh/infra.pub"
 }
 
 variable "ssh_private_key" {
   description = "Path to SSH private key"
   type        = string
-  default     = "~/.ssh/id_ed25519"
+  default     = "~/.ssh/infra"
 }
 
 variable "cluster_name" {
@@ -28,28 +22,112 @@ variable "control_plane_count" {
   default     = 3
 }
 
-variable "control_plane_type" {
-  description = "Hetzner server type for control plane"
-  type        = string
-  default     = "cx23"
+variable "control_plane_cores" {
+  description = "vCPU count for control plane VMs"
+  type        = number
+  default     = 2
+}
+
+variable "control_plane_memory_mb" {
+  description = "Dedicated memory for control plane VMs in MiB"
+  type        = number
+  default     = 4096
+}
+
+variable "control_plane_disk_gb" {
+  description = "Disk size for control plane VMs in GiB"
+  type        = number
+  default     = 32
 }
 
 variable "worker_count" {
   description = "Number of worker nodes"
   type        = number
-  default     = 3
+  default     = 5
 }
 
-variable "worker_type" {
-  description = "Hetzner server type for workers"
-  type        = string
-  default     = "cx33"
+variable "worker_cores" {
+  description = "vCPU count for worker VMs"
+  type        = number
+  default     = 4
 }
 
-variable "location" {
-  description = "Hetzner datacenter location"
+variable "worker_memory_mb" {
+  description = "Dedicated memory for worker VMs in MiB"
+  type        = number
+  default     = 8192
+}
+
+variable "worker_disk_gb" {
+  description = "Disk size for worker VMs in GiB"
+  type        = number
+  default     = 64
+}
+
+variable "proxmox_endpoint" {
+  description = "Proxmox API endpoint without /api2/json suffix"
   type        = string
-  default     = "nbg1"
+  default     = "https://100.105.0.115:8006/"
+}
+
+variable "proxmox_api_token_id" {
+  description = "Proxmox API token ID"
+  type        = string
+  sensitive   = true
+}
+
+variable "proxmox_api_token_secret" {
+  description = "Proxmox API token secret"
+  type        = string
+  sensitive   = true
+}
+
+variable "proxmox_insecure" {
+  description = "Skip TLS verification for the Proxmox API"
+  type        = bool
+  default     = true
+}
+
+variable "proxmox_node_name" {
+  description = "Fixed Proxmox node name for all cluster VMs"
+  type        = string
+  default     = "flex"
+}
+
+variable "proxmox_template_vm_id" {
+  description = "Template VM ID used for linked clones"
+  type        = number
+  default     = 9000
+}
+
+variable "proxmox_clone_full" {
+  description = "Whether to use full clones instead of linked clones"
+  type        = bool
+  default     = false
+}
+
+variable "proxmox_vm_storage_pool" {
+  description = "Proxmox datastore for VM disks"
+  type        = string
+  default     = "Flash"
+}
+
+variable "proxmox_cloud_init_storage_pool" {
+  description = "Proxmox datastore for cloud-init disks"
+  type        = string
+  default     = "Flash"
+}
+
+variable "proxmox_bridge" {
+  description = "Proxmox bridge for cluster VM interfaces"
+  type        = string
+  default     = "vmbr0"
+}
+
+variable "proxmox_ssh_username" {
+  description = "Cloud-init user injected into cloned VMs"
+  type        = string
+  default     = "ubuntu"
 }
 
 variable "allowed_ssh_ips" {
@@ -90,13 +168,55 @@ variable "enable_nodeport_public" {
 variable "network_cidr" {
   description = "CIDR for private network"
   type        = string
-  default     = "10.0.0.0/16"
+  default     = "10.27.27.0/24"
 }
 
 variable "subnet_cidr" {
   description = "CIDR for server subnet"
   type        = string
-  default     = "10.0.1.0/24"
+  default     = "10.27.27.0/24"
+}
+
+variable "proxmox_gateway" {
+  description = "Gateway for cluster VM networking"
+  type        = string
+  default     = "10.27.27.1"
+}
+
+variable "proxmox_dns_servers" {
+  description = "DNS servers configured through cloud-init"
+  type        = list(string)
+  default     = ["1.1.1.1", "8.8.8.8"]
+}
+
+variable "control_plane_ips" {
+  description = "Static IPv4 addresses for control plane VMs"
+  type        = list(string)
+  default     = ["10.27.27.30", "10.27.27.31", "10.27.27.32"]
+}
+
+variable "worker_ips" {
+  description = "Static IPv4 addresses for worker VMs"
+  type        = list(string)
+  default     = ["10.27.27.41", "10.27.27.42", "10.27.27.43", "10.27.27.44", "10.27.27.45"]
+}
+
+variable "control_plane_vm_ids" {
+  description = "Fixed VMIDs for control plane VMs"
+  type        = list(number)
+  default     = [200, 201, 202]
+}
+
+variable "worker_vm_ids" {
+  description = "Fixed VMIDs for worker VMs"
+  type        = list(number)
+  default     = [210, 211, 212, 213, 214]
+}
+
+variable "kube_api_vip" {
+  description = "Virtual IP advertised by kube-vip for the Kubernetes API"
+  type        = string
+  default     = "10.27.27.40"
 }
 
 variable "s3_access_key" {