updating to match everything in my homelab.

diagrams/secrets-management.mmd

@@ -0,0 +1,51 @@
+```plaintext
+%% Secrets Management Strategy (ADR-0017)
+%% Flowchart showing dual secret paths: SOPS bootstrap vs Vault runtime
+
+flowchart TB
+    subgraph bootstrap["🚀 Bootstrap Secrets (Git-encrypted)"]
+        direction TB
+        sops_files["*.sops.yaml<br/>📄 Encrypted in Git"]
+        age_key["🔑 Age Key<br/>(backed up externally)"]
+        sops_dec["SOPS Decryption"]
+        flux_dec["Flux Controller"]
+        bs_secrets["🔐 Bootstrap Secrets<br/>• Talos machine secrets<br/>• GitHub deploy key<br/>• Initial Vault unseal"]
+    end
+
+    subgraph runtime["⚙️ Runtime Secrets (Vault-managed)"]
+        direction TB
+        vault["🏦 HashiCorp Vault<br/>HA (3 replicas) + Raft"]
+        eso["External Secrets<br/>Operator"]
+        app_secrets["🔑 Application Secrets<br/>• Database credentials<br/>• API keys<br/>• OAuth secrets"]
+    end
+
+    subgraph apps["📦 Applications"]
+        direction TB
+        pods["Workload Pods"]
+    end
+
+    %% Bootstrap flow
+    sops_files -->|"Commit to Git"| flux_dec
+    age_key -->|"Decrypts"| sops_dec
+    flux_dec --> sops_dec
+    sops_dec -->|"Creates"| bs_secrets
+
+    %% Runtime flow
+    vault -->|"ExternalSecret CR"| eso
+    eso -->|"Syncs to"| app_secrets
+
+    %% Consumption
+    bs_secrets -->|"Mounted"| pods
+    app_secrets -->|"Mounted"| pods
+
+    classDef bootstrap fill:#3498db,color:white
+    classDef vault fill:#27ae60,color:white
+    classDef secrets fill:#e74c3c,color:white
+    classDef app fill:#9b59b6,color:white
+
+    class sops_files,age_key,sops_dec,flux_dec bootstrap
+    class vault,eso vault
+    class bs_secrets,app_secrets secrets
+    class pods app
+
+```