---
- name: SOPS secrets (workstation)
  ansible.builtin.debug:
    msg: |
      Encrypted Kubernetes Secrets live under clusters/noble/secrets/ (Mozilla SOPS + age).
      Private key: age-key.txt at repo root (gitignored). See clusters/noble/secrets/README.md
      and .sops.yaml. noble.yml decrypt-applies these when age-key.txt exists.

- name: Argo CD optional root Application (empty app-of-apps)
  ansible.builtin.debug:
    msg: >-
      App-of-apps: noble.yml applies root-application.yaml when noble_argocd_apply_root_application is true
      (group_vars/all.yml). Otherwise: kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
      after editing spec.source.repoURL. Core platform is Ansible — see clusters/noble/apps/README.md