every-channel/every.channel
1
0
Fork 0
Code Releases Activity Actions 2

ECP-0061: agenix secrets for local dev tokens

Browse source
This commit is contained in:
every.channel 2026-02-15 17:21:23 -05:00
parent 810556aa99
commit 6cb4a9e401
No known key found for this signature in database
1 changed files with 40 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

40
evolution/proposals/ECP-0061-agenix-secrets.md Normal file
View file

@ -0,0 +1,40 @@
# ECP-0061: agenix Secrets (Local Dev Convenience)
Status: Draft
## Goal
Provide a simple, repo-native way to manage a small set of long-lived tokens for local development without committing plaintext secrets:
- Cloudflare API token (local `wrangler deploy`)
- Codeberg token (optional; for `tea` CLI)
## Non-Goals
- CI secrets management (CI should use Forgejo Actions secrets).
- A general secret distribution scheme for the network protocol.
## Proposal
1. Add `secrets/` using `agenix`:
- `secrets/secrets.nix` maps secret filenames to recipients.
- Encrypted files (optional, not required to exist):
- `secrets/cloudflare-api-token.age`
- `secrets/codeberg-token.age`
2. Add tools to the nix dev shell:
- `agenix`
- `tea` (Forgejo/Gitea-compatible CLI)
3. Update scripts to use these secrets opportunistically:
- `scripts/deploy-workers.sh` loads `CLOUDFLARE_API_TOKEN` via `agenix -d` when present.
- `scripts/tea-login-codeberg.sh` configures `tea` using `CODEBERG_TOKEN` (env) or `agenix`.
## Rationale
`agenix` keeps sensitive tokens out of git while still being easy to use on a single machine.
CI remains clean and auditable by using the platform's secret store.
## Rollout / Reversibility
- Additive. If a developer doesn't use `agenix`, nothing breaks.
- Easy to remove later if a different secret system is adopted.