Fix 1Password secret tasks always reporting changed in ringtail playbook (#213)

## Summary
- Replace `changed_when: true` with `register` + output inspection on the two 1Password secret tasks in `ringtail.yml`
- Tasks now correctly report `ok` when the secret content hasn't changed, and `changed` only when `kubectl apply` outputs `configured` or `created`

## Test plan
- [ ] Run `mise run provision-ringtail` twice — second run should show both tasks as `ok` not `changed`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/213

ansible/playbooks/ringtail.yml

@@ -100,7 +100,8 @@
             --from-literal=1password-credentials.json='{{ _op_credentials.stdout }}' \
             --dry-run=client -o yaml | k3s kubectl apply -f -
         executable: /run/current-system/sw/bin/bash
-      changed_when: true
+      register: _op_credentials_apply
+      changed_when: "'configured' in _op_credentials_apply.stdout or 'created' in _op_credentials_apply.stdout"
       no_log: true
 
     - name: Create or update onepassword-token secret
@@ -112,5 +113,6 @@
             --from-literal=token={{ _op_token.stdout }} \
             --dry-run=client -o yaml | k3s kubectl apply -f -
         executable: /run/current-system/sw/bin/bash
-      changed_when: true
+      register: _op_token_apply
+      changed_when: "'configured' in _op_token_apply.stdout or 'created' in _op_token_apply.stdout"
       no_log: true

docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md

@@ -0,0 +1 @@
+Make 1Password secret tasks in ringtail playbook idempotent by checking kubectl apply output instead of always reporting changed.