- roles/xcpng_update: new role — patches XCP-NG pools via XO REST API
- non-HA pools: pool-level install_patches + restart_hosts
- HA clusters: rolling pool update via JSON-RPC pool.rollingUpdate
- dry run support, patch verification after update
- roles/snapshot: add xcpng_xo hypervisor_type support via XO REST API
- playbooks/xcpng_pool_update.yml: new playbook for XCP-NG pool patching
- inventories/client_template/hosts.yml: add xcpng_hosts group
- scripts/onboard_client.sh: major overhaul
- add --hypervisor proxmox|xcpng|baremetal|mixed
- add --xo-url / --xo-token (falls back to global env)
- webhook no longer required (falls back to N8N_WEBHOOK_URL in env)
- ansible_user changed to ansible-msp-agent with sudo
- xcpng_hosts group in inventory scaffold for xcpng/mixed clients
- hypervisor-appropriate task templates created automatically
- add --dry-run support
- scripts/deploy_agent.sh: new script — bootstrap ansible-msp-agent
- reads hosts.yml to get Linux/Windows hosts
- SSHes as native account, su - to root
- creates ansible-msp-agent user + sudo-nopasswd group
- deploys client key + MSP backup key to agent user and root
- adjusts sshd_config, reloads sshd
- verifies key-based login after bootstrap
- Windows stub with skip + warning
- continues on failure, prints summary
