feat: auto-discover kubeadm node IPs from terraform state

nixos/kubeadm/README.md

@@ -124,10 +124,14 @@ Manual dispatch workflows are available:
 
 Required repository secrets:
 
-- `KUBEADM_SSH_PRIVATE_KEY`
-- `KUBEADM_SSH_USER`
-- `KUBEADM_CP_1_IP`, `KUBEADM_CP_2_IP`, `KUBEADM_CP_3_IP`
-- `KUBEADM_WK_1_IP`, `KUBEADM_WK_2_IP`, `KUBEADM_WK_3_IP`
+- Existing Terraform/backend secrets used by current workflows (`B2_*`, `PM_API_TOKEN_SECRET`, `SSH_KEY_PUBLIC`)
+- SSH private key: prefer `KUBEADM_SSH_PRIVATE_KEY`, fallback to existing `SSH_KEY_PRIVATE`
+
+Optional secrets:
+
+- `KUBEADM_SSH_USER` (defaults to `micqdf`)
+
+Node IPs are auto-discovered from Terraform state outputs (`control_plane_vm_ipv4`, `worker_vm_ipv4`), so you do not need per-node IP secrets.
 
 ## Notes