Proxmox talos with secrets encrypted by sops.

To start from scratch:

• create new vm in proxmox from the template (which is simply the image factory with qemu and iscsi extensions, nocloud but whatever, metal would work just as well)
• edit in it's IP to the script because I haven't parameterised it yet.
• scripts/talosctl-apply-with-secrets -e <<THE_IP>> -n <<THE_IP>>
• export TALOSCONFIG=${PWD}/talosconfig
• talosctl config endpoints <<THE_IP>>
• talosctl bootstrap -n <<THE_IP>>
• talosctl kubeconfig -n <<THE_IP>>

TODO: parameterise stuff.

How the secrets stuff works: sops uses age to encrypt the values in the yaml file, and sops exec-file secrets.yaml 'some-command {}' decrypts secrets.yamlto a temporary file and runssome-command` with "{}" replaced by the temporary file, then removes it after the process exits.

Talos basically says "don't store your config, store patches and just regenerate from the secrets", so you use talosctl gen-config (that's in the script) with --with-secrets and --config-patch with a filename to patch into the yaml.

And that's it. Apply argo manifests, apply the app-of-apps, and everything else should "just flow".