From 7444b3a8c86064d97b4e9900e30ffa1bca66dc2f Mon Sep 17 00:00:00 2001
From: Martyn <m@rtyn.berlin>
Date: Thu, 12 Feb 2026 19:47:35 +0100
Subject: [PATCH] Update the readme

---
 README.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/README.md b/README.md
index e69de29..c2db20d 100644
--- a/README.md
+++ b/README.md
@@ -0,0 +1,20 @@
+# Proxmox talos with secrets encrypted by sops.
+
+To start from scratch:
+
+- create new vm in proxmox from the template (which is simply the image factory with qemu and iscsi extensions, nocloud but whatever, metal would work just as well)
+- edit in it's IP to the script because I haven't parameterised it yet.
+- `scripts/talosctl-apply-with-secrets -e <<THE_IP>> -n <<THE_IP>>`
+- `export TALOSCONFIG=${PWD}/talosconfig`
+- `talosctl config endpoints <<THE_IP>>`
+- `talosctl bootstrap -n <<THE_IP>>`
+- `talosctl kubeconfig -n <<THE_IP>>`
+
+TODO: parameterise stuff.
+
+How the secrets stuff works:
+`sops` uses age to encrypt the **values** in the yaml file, and `sops exec-file secrets.yaml 'some-command {}' decrypts `secrets.yaml` to a temporary file and runs `some-command` with "{}" replaced by the temporary file, then removes it after the process exits.
+
+Talos basically says "don't store your config, store patches and just regenerate from the secrets", so you use `talosctl gen-config` (that's in the script) with `--with-secrets` and `--config-patch` with a filename to patch into the yaml.
+
+And that's it.  Apply argo manifests, apply the app-of-apps, and everything else should "just flow".