feat: migrate Atlantis from SOPS to OpenBao for Proxmox token

- Replace sops -d --extract with bao kv get -field in workflow
- Remove .sops.yaml and encrypted proxmox.secrets.yaml
- Update .gitleaks.toml comment (remove SOPS reference)
- Proxmox token now fetched from OpenBao secret/infrastructure/proxmox
  via AppRole authentication (atlantis role)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitleaks.toml

@@ -3,7 +3,7 @@
 
 [allowlist]
   description = "Infrastructure repo allowlist"
-  # Terraform tenant VM passwords are managed by VM Bot and encrypted at rest via SOPS
+  # Terraform tenant VM passwords are managed by VM Bot
   # The .tf files contain passwords needed for Proxmox VM provisioning
   paths = [
     '''environments/production/tenant-vms\.tf''',

.sops.yaml

@@ -1,5 +0,0 @@
-creation_rules:
-  - path_regex: \.secrets\.yaml$
-    age: age1yttnttdpafzn73mf3g8fw4x04444gymwsfrfm99fv9qkcxqzqs7sld8hln
-  - path_regex: secrets/.*\.yaml$
-    age: age1yttnttdpafzn73mf3g8fw4x04444gymwsfrfm99fv9qkcxqzqs7sld8hln

atlantis.yaml

@@ -22,7 +22,7 @@ workflows:
       steps:
         - env:
             name: PROXMOX_VE_API_TOKEN
-            command: "sops -d --extract '[\"proxmox_api_token\"]' proxmox.secrets.yaml"
+            command: "source /secrets/openbao-approle && export BAO_TOKEN=$(bao write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID) && bao kv get -field=PROXMOX_VE_API_TOKEN secret/infrastructure/proxmox"
         - init
         - plan
         - run: |
@@ -38,6 +38,6 @@ workflows:
       steps:
         - env:
             name: PROXMOX_VE_API_TOKEN
-            command: "sops -d --extract '[\"proxmox_api_token\"]' proxmox.secrets.yaml"
+            command: "source /secrets/openbao-approle && export BAO_TOKEN=$(bao write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID) && bao kv get -field=PROXMOX_VE_API_TOKEN secret/infrastructure/proxmox"
         - init
         - apply

environments/production/proxmox.secrets.yaml

@@ -1,16 +0,0 @@
-proxmox_api_token: ENC[AES256_GCM,data:Dg8+7TWwsaDuQ9JJPyWBI6pc+6n3tVbg3TsjMx8OIS6R00eVTD6o2rAF6CTyIvLN2MI=,iv:cPq5O1Fl2azbVQST0+piq/3yA0Br6OZhcmkl52p2f5Q=,tag:P/CHM/ufI2xm/W4pr91QIQ==,type:str]
-sops:
-    age:
-        - recipient: age1yttnttdpafzn73mf3g8fw4x04444gymwsfrfm99fv9qkcxqzqs7sld8hln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU0MyOEhrWXE1K1V2aUEw
-            VFVkcHMzdnhTSUlhUjQ3b2UxYzhmdHQ5OUhVCkhHRHlFbzlhMkViRmxPTWZCUHJy
-            V3BsYUhmOVRYWEpHWkJrMFFyL1liL3cKLS0tIDB4NWVwN3NhUmoyZWp5Rnk4Yit0
-            VUdrSFVpT0FmTklybFpnOHJYbVdtbDgKzocwM5FdTxgbgL3oi344BH/2Z4oKWDN4
-            mzeExtxt+cg4KGvQXamQIzqwso4j9QrYpOB76EfWhLUL8ijGsdcWlQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-11T07:09:40Z"
-    mac: ENC[AES256_GCM,data:A89cdpQPFOH/x5PBSwdlv1SpupcSi2wp8DiRl6TNMOUDlQfP9d1ThQNE2a1lDG+H1NGDdP7josvERmZ+Y6IIh0QicyQutSizhZXDtPcNIiGBRHaI74g6Ed4TqSSgrbkZ253JGPvZqzcQOHUrfHykKJavYitHYMbQxwEUKTbamKM=,iv:PIg3H0T0IUgwDa6HjZLFghfxjUwF/8Km1x16cDlvnvQ=,tag:Oe8LU8q8lZDMI66xusZw7A==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.11.0