Stop tracking talos kubeconfig; remove Authentik token from git; add Newt kubeseal example

Remove committed talos/kubeconfig (cluster admin credentials). Ignore talos/kubeconfig at repo root.
Replace hardcoded LDAP outpost token with AUTHENTIK_LDAP_OUTPOST_TOKEN from .env.
Document Sealed Secrets workflow for Newt (kubeseal script + README updates). Clarify Talos secrets use talsecret/SOPS, not Sealed Secrets.

Made-with: Cursor

clusters/noble/apps/newt/README.md

@@ -6,7 +6,24 @@ This is the **primary** automation path for **public** hostnames to workloads in
 
 ## 1. Create the Secret
 
-Keys must match `values.yaml` (`PANGOLIN_ENDPOINT`, `NEWT_ID`, `NEWT_SECRET`):
+Keys must match `values.yaml` (`PANGOLIN_ENDPOINT`, `NEWT_ID`, `NEWT_SECRET`).
+
+### Option A — Sealed Secret (safe for GitOps)
+
+With the [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) controller installed (`clusters/noble/apps/sealed-secrets/`), generate a `SealedSecret` from your workstation (rotate credentials in Pangolin first if they were exposed):
+
+```bash
+chmod +x clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
+export PANGOLIN_ENDPOINT='https://pangolin.pcenicni.dev'
+export NEWT_ID='YOUR_NEWT_ID'
+export NEWT_SECRET='YOUR_NEWT_SECRET'
+./clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh > newt-pangolin-auth.sealedsecret.yaml
+kubectl apply -f newt-pangolin-auth.sealedsecret.yaml
+```
+
+Commit only the `.sealedsecret.yaml` file, not plain `Secret` YAML.
+
+### Option B — Imperative Secret (not in git)
 
 ```bash
 kubectl apply -f clusters/noble/apps/newt/namespace.yaml