Add 1Password Connect + External Secrets to ringtail k3s

Deploy the full ESO stack on ringtail, matching the indri pattern:
- 4 ArgoCD apps (1password-connect, external-secrets-crds, external-secrets,
  external-secrets-config) targeting ringtail k3s cluster
- ExternalSecret for forgejo-runner-amd64 token (replaces Ansible-managed secret)
- Ansible playbook bootstraps 1Password Connect credentials instead of
  directly managing runner tokens

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/reference/infrastructure/ringtail.md

@@ -55,6 +55,12 @@ Ringtail runs a single-node k3s cluster for native amd64 workloads, registered i
 - **Token:** `/etc/k3s/token` (generated on first provision)
 - **Kubeconfig:** `/etc/rancher/k3s/k3s.yaml` (world-readable via `--write-kubeconfig-mode=644`)
 
+### Secrets Management
+
+1Password Connect + External Secrets Operator syncs secrets from 1Password to k8s, matching the [[1password|indri pattern]]. Bootstrap credentials (`op-credentials`, `onepassword-token`) are provisioned by Ansible; ArgoCD manages the operator stack.
+
+Sync order: `1password-connect-ringtail` -> `external-secrets-crds-ringtail` -> `external-secrets-ringtail` -> `external-secrets-config-ringtail`
+
 ### Workloads
 
 | Workload | Namespace | Label |