Fix snapshot role — XO REST API, fix playbook host targeting

- roles/snapshot/tasks/main.yml: replace xe CLI with XO REST API
  - POST /rest/v0/vms/<uuid>/actions/snapshot?sync=true
  - stores returned snapshot UUID as snapshot_id
  - baremetal: skips gracefully with warning
- playbooks/snapshot_pre.yml: target linux_hosts only (was all)
- playbooks/linux_patch.yml: remove snapshot + report roles (snapshot is separate step)
- playbooks/site_maintenance.yml: remove bootstrap play (handled per-playbook),
  remove windows_patch import (WinRM not implemented)

playbooks/linux_patch.yml

@@ -1,4 +1,10 @@
 ---
+# =============================================================================
+# playbooks/linux_patch.yml
+# Linux-only patch run. Snapshots should be taken separately via snapshot_pre.yml
+# before running this playbook, or use site_maintenance.yml for the full sequence.
+# =============================================================================
+
 - name: Bootstrap — ensure Python is available
   hosts: linux_hosts
   gather_facts: false
@@ -9,7 +15,6 @@
   hosts: linux_hosts
   gather_facts: true
   roles:
-    - snapshot
     - preflight
     - linux_patch
-    - report
+    #- report

playbooks/site_maintenance.yml

@@ -1,11 +1,16 @@
 ---
-- name: Bootstrap — ensure Python is available
-  hosts: all
-  gather_facts: false
-  tasks:
-    - ansible.builtin.import_tasks: ../roles/preflight/tasks/bootstrap.yml
+# =============================================================================
+# playbooks/site_maintenance.yml
+# Full maintenance sequence:
+#   1. Snapshot guest VMs (linux_hosts via XO/Proxmox API)
+#   2. Preflight safety checks (linux_hosts + xcpng_hosts)
+#   3. Linux patching (linux_hosts)
+#
+# Windows hosts are excluded — WinRM patching not yet implemented.
+# XCP-NG pool updates are a separate template (xcpng_pool_update.yml)
+# and should be run before this playbook during a maintenance window.
+# =============================================================================
 
 - import_playbook: snapshot_pre.yml
 - import_playbook: site_preflight.yml
 - import_playbook: linux_patch.yml
-- import_playbook: windows_patch.yml

playbooks/snapshot_pre.yml

@@ -1,12 +1,21 @@
 ---
+# =============================================================================
+# playbooks/snapshot_pre.yml
+# Pre-patch snapshots for Linux guest VMs via hypervisor API.
+# Targets linux_hosts only — snapshots taken per-VM before patching.
+# XCP-NG: uses XO REST API (xcpng_vm_uuid required per host)
+# Proxmox: uses community.general.proxmox_snap (proxmox_vmid required per host)
+# Baremetal: snapshot tasks skipped automatically (no hypervisor_type match)
+# =============================================================================
+
 - name: Bootstrap — ensure Python is available
-  hosts: all
+  hosts: linux_hosts
   gather_facts: false
   tasks:
     - ansible.builtin.import_tasks: ../roles/preflight/tasks/bootstrap.yml
 
 - name: Pre-patch snapshot
-  hosts: all
+  hosts: linux_hosts
   gather_facts: true
   roles:
     - snapshot