feat: sync runtime secrets from doppler

README.md

@@ -169,6 +169,7 @@ Set these in your Gitea repository settings (**Settings** → **Secrets** → **
 | `TAILSCALE_TAILNET` | Tailnet domain (e.g., `yourtailnet.ts.net`) |
 | `TAILSCALE_OAUTH_CLIENT_ID` | Tailscale OAuth client ID for Kubernetes Operator |
 | `TAILSCALE_OAUTH_CLIENT_SECRET` | Tailscale OAuth client secret for Kubernetes Operator |
+| `DOPPLER_HETZNERTERRA_SERVICE_TOKEN` | Doppler service token for `hetznerterra` runtime secrets |
 | `GRAFANA_ADMIN_PASSWORD` | Optional admin password for Grafana (auto-generated if unset) |
 | `RUNNER_ALLOWED_CIDRS` | Optional CIDR list for CI runner access if you choose to pass it via tfvars/secrets |
 | `SSH_PUBLIC_KEY` | SSH public key content |
@@ -178,6 +179,19 @@ Set these in your Gitea repository settings (**Settings** → **Secrets** → **
 
 This repo now includes a Flux GitOps layout for phased migration from imperative Ansible applies to continuous reconciliation.
 
+### Runtime secrets
+
+Runtime cluster secrets are moving to Doppler + External Secrets Operator.
+
+- Doppler project: `hetznerterra`
+- Initial auth: service token via `DOPPLER_HETZNERTERRA_SERVICE_TOKEN`
+- First synced secrets:
+  - `GRAFANA_ADMIN_PASSWORD`
+  - `WEAVE_GITOPS_ADMIN_USERNAME`
+  - `WEAVE_GITOPS_ADMIN_PASSWORD_BCRYPT_HASH`
+
+Terraform/bootstrap secrets remain in Gitea Actions secrets and are not managed by Doppler.
+
 ### Repository layout
 
 - `clusters/prod/`: cluster entrypoint and Flux reconciliation objects