Refactor Argo CD application management by removing the obsolete root-application.yaml and updating the bootstrap-root-application.yaml to include optional add-on Application manifests from clusters/noble/apps. Adjust documentation to clarify the deployment order and resource ownership, ensuring a streamlined GitOps process with Ansible and Argo CD.

ansible/README.md

@@ -2,7 +2,7 @@
 
 **Narrative walkthrough (Proxmox → Talos → platform → Argo):** [`docs/ansible-getting-started.md`](../docs/ansible-getting-started.md).
 
-Automates [`talos/CLUSTER-BUILD.md`](../talos/CLUSTER-BUILD.md): optional **Talos Phase A** (genconfig → apply → bootstrap → kubeconfig), then **Phase B+** (CNI → add-ons → ingress → Argo CD → Kyverno → observability, etc.). **Trivy Operator** is installed via Argo (**`noble-trivy-operator`** app-of-apps), not **`noble.yml`**. **Argo CD** does not reconcile core charts — optional GitOps starts from an empty [`clusters/noble/apps/kustomization.yaml`](../clusters/noble/apps/kustomization.yaml).
+Automates [`talos/CLUSTER-BUILD.md`](../talos/CLUSTER-BUILD.md): optional **Talos Phase A** (genconfig → apply → bootstrap → kubeconfig), then **Phase B+** (CNI → add-ons → ingress → Argo CD → Kyverno → observability, etc.). **Trivy Operator** is installed via Argo (**`noble-trivy-operator`** app-of-apps), not **`noble.yml`**. **Argo CD** does not reconcile core charts first — optional add-on **`Application`** manifests live under [`clusters/noble/apps/`](../clusters/noble/apps/) and are included when **`noble_platform`** runs **`kubectl apply -k clusters/noble/bootstrap`** (see [`clusters/noble/apps/README.md`](../clusters/noble/apps/README.md)).
 
 ## Order of operations
 
@@ -82,7 +82,7 @@ ansible-playbook playbooks/noble.yml --tags authentik -e noble_authentik_install
 
 ### Variables — `inventory/group_vars/` and role defaults
 
-- **`inventory/group_vars/all.yml`:** **`noble_newt_install`**, **`noble_velero_install`**, **`noble_authentik_install`**, **`noble_cert_manager_require_cloudflare_secret`**, **`noble_argocd_apply_root_application`**, **`noble_argocd_apply_bootstrap_root_application`**, **`noble_k8s_api_server_override`**, **`noble_k8s_api_server_auto_fallback`**, **`noble_k8s_api_server_fallback`**, **`noble_skip_k8s_health_check`**
+- **`inventory/group_vars/all.yml`:** **`noble_newt_install`**, **`noble_velero_install`**, **`noble_authentik_install`**, **`noble_cert_manager_require_cloudflare_secret`**, **`noble_argocd_apply_bootstrap_root_application`**, **`noble_k8s_api_server_override`**, **`noble_k8s_api_server_auto_fallback`**, **`noble_k8s_api_server_fallback`**, **`noble_skip_k8s_health_check`**
 - **`roles/noble_platform/defaults/main.yml`:** **`noble_apply_sops_secrets`**, **`noble_sops_age_key_file`**, **`noble_platform_loki_helm_wait_timeout`**, **`noble_platform_wait_longhorn_csi_before_loki`**, **`noble_platform_longhorn_csi_rollout_timeout`**
 
 ## Roles
@@ -157,7 +157,7 @@ ansible-playbook -i inventory/proxmox.yml playbooks/proxmox_ops.yml
 
 ```bash
 kubectl delete application -n argocd noble-platform noble-kyverno noble-kyverno-policies --ignore-not-found
-kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
+kubectl apply -f clusters/noble/bootstrap/argocd/bootstrap-root-application.yaml
 ```
 
 Then run `playbooks/noble.yml` so Helm state matches git values.

ansible/inventory/group_vars/all.yml

@@ -22,9 +22,7 @@ noble_cert_manager_require_cloudflare_secret: true
 # Velero — set **noble_velero_install: true** plus S3 bucket/URL (and credentials — see clusters/noble/bootstrap/velero/README.md)
 noble_velero_install: false
 
-# Argo CD — apply app-of-apps root Application (clusters/noble/bootstrap/argocd/root-application.yaml). Set false to skip.
-noble_argocd_apply_root_application: true
-# Bootstrap kustomize in Argo (**noble-bootstrap-root** → **clusters/noble/bootstrap**). Applied with manual sync; enable automation after **noble.yml** (see **clusters/noble/bootstrap/argocd/README.md** §5).
+# Bootstrap kustomize in Argo (**noble-bootstrap-root** → **clusters/noble/bootstrap**, includes **clusters/noble/apps**). Applied with manual sync; enable automation after **noble.yml** (see **clusters/noble/bootstrap/argocd/README.md** §5).
 noble_argocd_apply_bootstrap_root_application: true
 
 # Authentik (OIDC IdP) + oauth2-proxy ForwardAuth — set **true** after **.env** has NOBLE_AUTHENTIK_* (see ansible/roles/noble_authentik/README.md).

ansible/roles/noble_argocd/defaults/main.yml

@@ -1,6 +1,3 @@
 ---
-# When true, applies clusters/noble/bootstrap/argocd/root-application.yaml (app-of-apps).
-# Edit spec.source.repoURL in that file if your Git remote differs.
-noble_argocd_apply_root_application: false
 # When true, applies clusters/noble/bootstrap/argocd/bootstrap-root-application.yaml (noble-bootstrap-root; manual sync until README §5).
 noble_argocd_apply_bootstrap_root_application: true

ansible/roles/noble_argocd/tasks/applications_post_platform.yml

@@ -2,18 +2,6 @@
 # Run from **ansible/playbooks/noble.yml** *after* roles **noble_platform**, **noble_authentik**, **noble_velero**
 # (see play **tasks:**). Leaf **Application** CRs must not be reconciled before Ansible Helm finishes, or
 # **argocd-controller** can SSA resources without Helm release metadata (e.g. chart-owned ServiceAccounts).
-- name: Apply Argo CD root Application (app-of-apps)
-  ansible.builtin.command:
-    argv:
-      - kubectl
-      - apply
-      - -f
-      - "{{ noble_repo_root }}/clusters/noble/bootstrap/argocd/root-application.yaml"
-  environment:
-    KUBECONFIG: "{{ noble_kubeconfig }}"
-  when: noble_argocd_apply_root_application | default(false) | bool
-  changed_when: true
-
 - name: Apply Argo CD bootstrap root Application
   ansible.builtin.command:
     argv:

ansible/roles/noble_post_deploy/tasks/main.yml

@@ -6,12 +6,12 @@
       Private key: age-key.txt at repo root (gitignored). See clusters/noble/secrets/README.md
       and .sops.yaml. noble.yml decrypt-applies these when age-key.txt exists.
 
-- name: Argo CD optional root Application (empty app-of-apps)
+- name: Argo CD bootstrap root and leaf Applications
   ansible.builtin.debug:
     msg: >-
       App-of-apps: at the **end** of **noble.yml** (after **noble_platform**, **noble_authentik**,
-      **noble_velero**), **noble_argocd** `applications_post_platform.yml` runs: root-application.yaml when
-      noble_argocd_apply_root_application is true; bootstrap-root + **kubectl apply -k argocd/app-of-apps**
-      when noble_argocd_apply_bootstrap_root_application is true (inventory/group_vars/all.yml).
-      noble-bootstrap-root uses manual sync until you enable automation after the playbook —
+      **noble_velero**), **noble_argocd** `applications_post_platform.yml` applies **bootstrap-root-application.yaml**
+      and **kubectl apply -k argocd/app-of-apps** when **noble_argocd_apply_bootstrap_root_application** is true
+      (inventory/group_vars/all.yml).
+      **noble-bootstrap-root** syncs **clusters/noble/bootstrap** (which includes **clusters/noble/apps**); manual sync until you enable automation after the playbook —
       clusters/noble/bootstrap/argocd/README.md §5. See clusters/noble/apps/README.md and that README.