feat: add SOPS encrypted secrets and enable Flux decryption

- Add .sops.yaml config with age public key
- Encrypt authelia-users, authelia-secrets, vaultwarden-admin
- Enable SOPS decryption in Flux Kustomization (gotk-sync.yaml)
- Secrets are now safe to store in git (encrypted with age)

clusters/lab/secrets/vaultwarden-admin.enc.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    ADMIN_TOKEN: ENC[AES256_GCM,data:L2A205PEjydsGcq5f3lZwGkPSYnoBjTruzMMgW1fk4kkxekLlNemmrtuYW4fyK5aXn1XAMmdXNkLaeIpVpekZn6kFXNnMPCRvhG1M3UeRakRl1XQDhjmZQ==,iv:LqZQ6twVcTuzCItFsWMUo4J/CxUv7zVmpqlI9yWf2kk=,tag:9rVdsUyYnPV5y1PaOPQ7TA==,type:str]
+kind: Secret
+metadata:
+    name: vaultwarden-admin
+    namespace: flux-system
+type: Opaque
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0alEyc3l2MjdjYW5PbkFF
+            U2dGM2IwTkE3MThGZk1CMldxejJVYmxvRTJJCkpMdVVEcjNPajl4TXRpajZJdTN6
+            bXI0em9zenluN0ptbHNYS1RUQ25UYjgKLS0tIDhta0JnMFU2MGN0SWFKRGxHOTY2
+            UTBibmJHR0FKWTMyS2NsM1FmcUVTU1UKvt86R1oeurlBtuUpCC63wi8Wm2IDul21
+            +i3HaSlTkcugg9iCz42x5HHgOlU0LvDNKTkTQnnrUeSp0iX11tDWOw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-19T23:20:45Z"
+    mac: ENC[AES256_GCM,data:ipF3sijq2rbfsfKWzUQomsz1GGrini+jLc9BRg6+z/euN1Hx0VC2NMbokgqzIHBrJGsee7OqG8tu6CbyqEwLSy7SduAP4wa53Apby9tZ2G1GsNY3u7P4Ipj/SZInRnM6KaV2SV8FyywPR2vsQfJkVKjQaDNzO2qAo5/dyZ6+lHU=,iv:2g8pxr/YNA/t3r/nsFk9T8wMaFKp0sXC8V2F87swEqk=,tag:p+bTr1hDtxlwbbT/RuwRbw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.4