ci: switch deploy secrets to age key workflow

2026-02-16 00:59:52 -05:00 · 2026-02-16 00:59:52 -05:00 · 4dbd831d0b
commit 4dbd831d0b
parent d6a9af8f1e
10 changed files with 186 additions and 30 deletions
--- a/secrets/README.md
+++ b/secrets/README.md
@ -1,13 +1,21 @@
 # Secrets (agenix)

-This repo supports optional local secrets management via `agenix`.
+This repo supports local + CI secrets management via `agenix`/`age`.

-CI should prefer Forgejo Actions secrets (e.g. `CLOUDFLARE_API_TOKEN`) rather than decrypting secrets in runners.
+CI deploys use one Forgejo Actions secret:
+
+- `AGE_FORGE_SSH_KEY`: SSH private key used to decrypt repo-tracked `.age` files.
+
+Set/update it with:
+
+```sh
+nix develop -c ./scripts/fj-set-age-key-secret.sh ~/.config/every.channel/keys/forge_ci_ed25519
+```

 ## Files

 - `secrets/secrets.nix`: recipients + secret file mapping
- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (optional)
+- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (used by deploy workflow)
 - `secrets/codeberg-token.age`: encrypted Codeberg/Forgejo token for `fj` (optional)

 ## Create / edit secrets (local)
@ -32,4 +40,4 @@ agenix -d secrets/cloudflare-api-token.age

 ## Decryption identity

-`agenix` decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.
+`agenix`/`age` decrypts using SSH private key material. The private key must be available locally (or injected as CI secret) and is never committed to the repo.
--- a/secrets/cloudflare-api-token.age
+++ b/secrets/cloudflare-api-token.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 29OJ4A zgIVFl3ybukZblX6BIQwL+safny154q0FzRS4KTXV3w
+4u7A8ymx0dZQE7oKnzdzWtObT+BZV1HtPiWDHW9WGWA
+-> ssh-ed25519 E6Q+Lw WwMbUn454lqkAZtt9GOGWZAl4dvZ2YEQatK3rViz6DM
+VD3c+PxIwZ9cZmv7U2bXFiN1UlTQYImbeap1v2MvnBw
+--- gH+1U1LQN7CB7L2Tk7oLwgWjnqfFTNVau3NJSJUAEJ8
+,™)ò,ÍMMø!ËçééÈ4½Þ¯i	žgÄ<67>GÙj—â›½ËR¡§Ø:©¶vj€oÕ¯tlåÊ¬ZÀÜ)Öï•N”Éju<6A>‚Û©
--- a/secrets/codeberg-token.age
+++ b/secrets/codeberg-token.age
@ -1,5 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 29OJ4A G6byj6PhWofxSh8K5FGSqBs5W5uKtyJ2MGY1JFb+STc
-d25eWVNmz2+0zKVVRZ/Pib4YZClhJrML6s3hbLh9rMU
--- t/6aoMSRLI8vay71VugNOGwKHjHteiC+SinD6gQARYM
-¹ˆ8ùEÉâò /‚³?á¢¿wÝØJlSñæäíz<C3AD>i–8Ç)†äÿƒ`ã;Bæ4LåÑT„Àö?£;ãÀzÇšÐé\
+-> ssh-ed25519 29OJ4A 0tKPVpGaDJTMMhyy9/+rswkNttrVhttZFM6ORiMapjk
+/EVUgqbde8gJQubCzOeTfVIeE1VYF4W681LxfA1fp0k
+-> ssh-ed25519 E6Q+Lw Wn4IY+Flb2mpZFWg/iMGSua298EEiBJgMqdnv+BCkA4
+hZBMEYsq9GCLLAh6KXaJbNSs3sks/oH74hoQUPDvMKM
+--- m5RYGCTBkYSET5SfeqdOhfLij9sPDzglIPwVnmaEeGA
+c$ÚýŸ2tÒ<74>¡0ºàé3êïßU+u žõ7kU<6B>o")Š¾À¦Z¢BiÀÉÃö‰TA*ßy‰LÖ|û=ñlÑšÌî/BîP