# Proxmox talos with secrets encrypted by sops.

To start from scratch:

- create new vm in proxmox from the template (which is simply the image factory with qemu and iscsi extensions, nocloud but whatever, metal would work just as well)
- edit in it's IP to the script because I haven't parameterised it yet.
- `scripts/talosctl-apply-with-secrets -e <<THE_IP>> -n <<THE_IP>>`
- `export TALOSCONFIG=${PWD}/talosconfig`
- `talosctl config endpoints <<THE_IP>>`
- `talosctl bootstrap -n <<THE_IP>>`
- `talosctl kubeconfig -n <<THE_IP>>`

TODO: parameterise stuff.

How the secrets stuff works:
`sops` uses age to encrypt the **values** in the yaml file, and `sops exec-file secrets.yaml 'some-command {}' decrypts `secrets.yaml` to a temporary file and runs `some-command` with "{}" replaced by the temporary file, then removes it after the process exits.

Talos basically says "don't store your config, store patches and just regenerate from the secrets", so you use `talosctl gen-config` (that's in the script) with `--with-secrets` and `--config-patch` with a filename to patch into the yaml.

And that's it.  Apply argo manifests, apply the app-of-apps, and everything else should "just flow".