home-server/ansible/roles/noble_post_deploy/tasks/main.yml

---
- name: SOPS secrets (workstation)
  ansible.builtin.debug:
    msg: |
      Encrypted Kubernetes Secrets live under clusters/noble/secrets/ (Mozilla SOPS + age).
      Private key: age-key.txt at repo root (gitignored). See clusters/noble/secrets/README.md
      and .sops.yaml. noble.yml decrypt-applies these when age-key.txt exists.

- name: Argo CD optional root Application (empty app-of-apps)
  ansible.builtin.debug:
    msg: >-
      Optional: kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
      after editing repoURL. Core workloads are not synced by Argo — see clusters/noble/apps/README.md