docs: describe Libvirt VM network topology and storage architecture
Document how VMs are provisioned, networked, and how persistent storage is attached.
## Dual NIC Topology
Each VM is configured with two network interfaces:
- `HostOnly` network: isolated private network for secure inter-service communication.
- `NAT` bridge network: provides outbound access to external registries and proxy mirrors.
This isolates control plane traffic from external internet access paths.
## Direct Storage Pools (Layer `05-foundation-volume`)
- Raw block volumes are created as Libvirt volumes and attached as `/dev/vdb` on database and storage nodes.
- Decouples the OS partition (`/dev/vda`) from persistent application data.
- Enables volume lifecycle management (resize, snapshot) independently of VM images.
## Acceptance Criteria
- [ ] Network topology diagram showing HostOnly vs NAT interfaces per VM class.
- [ ] Description of storage pool configuration and the `/dev/vda` vs `/dev/vdb` split.
issue