docs: add env reference, clustering guide, and README improvements

- .env.example: complete env var reference (21 vars, grouped, commented)
- docs/clustering.md: leader/follower/probe setup, aggregation, security
- README: encryption section, clustering summary, upgrading note,
  ALLOW_PRIVATE_TARGETS + ENCRYPTION_KEY in env table, link to .env.example
- .gitignore: add .env to prevent credential leaks

.env.example

@@ -0,0 +1,42 @@
+# ─── uptop configuration ───────────────────────────────────
+# Copy to .env and edit. Only uncomment what you need.
+
+# ─── Core ──────────────────────────────────────────────────
+UPTOP_PORT=23234              # SSH server port
+UPTOP_HTTP_PORT=8080          # HTTP port (status page, push endpoints, metrics)
+UPTOP_DB_TYPE=sqlite          # sqlite or postgres
+UPTOP_DB_DSN=/data/uptop.db   # File path (SQLite) or connection string (Postgres)
+
+# ─── Security ─────────────────────────────────────────────
+# UPTOP_ADMIN_KEY=ssh-ed25519 AAAA... you@host   # Seed first admin user on startup
+# UPTOP_KEYS=/data/authorized_keys                # Path to authorized_keys file (one key per line)
+# UPTOP_SSH_HOST_KEY=/data/.ssh/id_ed25519        # SSH host key path (auto-generated if missing)
+# UPTOP_ENCRYPTION_KEY=                           # AES-256-GCM key for alert credentials (64 hex chars)
+#                                                 # Generate: openssl rand -hex 32
+#                                                 # Without this, alert passwords/tokens stored in plaintext
+# UPTOP_CLUSTER_SECRET=                           # Shared key for cluster API + import/export auth
+
+# ─── Status Page ──────────────────────────────────────────
+# UPTOP_STATUS_ENABLED=false       # Enable public status page at /status
+# UPTOP_STATUS_TITLE=System Status # Status page heading
+
+# ─── TLS ──────────────────────────────────────────────────
+# UPTOP_TLS_CERT=                  # Path to TLS certificate (enables HTTPS)
+# UPTOP_TLS_KEY=                   # Path to TLS private key
+
+# ─── Clustering (leader/follower) ────────────────────────
+# See docs/clustering.md for setup guides.
+# UPTOP_CLUSTER_MODE=leader        # leader, follower, or probe
+# UPTOP_PEER_URL=                  # Leader HTTP URL (required for follower and probe)
+
+# ─── Distributed Probing ─────────────────────────────────
+# UPTOP_NODE_ID=                   # Unique node identifier (required for probe mode)
+# UPTOP_NODE_NAME=                 # Human-readable node name
+# UPTOP_NODE_REGION=               # Region tag (e.g. us-east, eu-west) for monitor routing
+# UPTOP_AGG_STRATEGY=any-down      # How multi-probe results combine: any-down, majority-down, all-down
+
+# ─── Advanced ─────────────────────────────────────────────
+# UPTOP_INSECURE_SKIP_VERIFY=false     # Skip TLS cert verification on monitored targets
+# UPTOP_ALLOW_PRIVATE_TARGETS=false    # Allow monitoring RFC1918/loopback addresses
+# UPTOP_METRICS_PUBLIC=false           # Expose /metrics without auth
+# UPTOP_CORS_ORIGIN=                   # Access-Control-Allow-Origin for /status/json