diff --git a/flake.nix b/flake.nix index 5a5447f..a660617 100644 --- a/flake.nix +++ b/flake.nix @@ -46,6 +46,8 @@ ffmpeg nodejs_22 nodePackages.wrangler + agenix + tea uv git just @@ -73,6 +75,8 @@ pkg-config openssl ffmpeg + agenix + tea git ]; diff --git a/scripts/deploy-workers.sh b/scripts/deploy-workers.sh index 9e60967..fbfb6fe 100755 --- a/scripts/deploy-workers.sh +++ b/scripts/deploy-workers.sh @@ -8,6 +8,7 @@ cd "${root}" # Prefer setting env vars directly in CI (`CLOUDFLARE_API_TOKEN`). token_file="${EVERY_CHANNEL_CF_TOKEN_FILE:-}" account_file="${EVERY_CHANNEL_CF_ACCOUNT_FILE:-}" +agenix_secret="${EVERY_CHANNEL_CF_TOKEN_AGE_SECRET:-secrets/cloudflare-api-token.age}" if [[ -z "${CLOUDFLARE_API_TOKEN:-}" && -n "${token_file}" && -f "${token_file}" ]]; then export CLOUDFLARE_API_TOKEN @@ -19,6 +20,11 @@ if [[ -z "${CLOUDFLARE_ACCOUNT_ID:-}" && -n "${account_file}" && -f "${account_f CLOUDFLARE_ACCOUNT_ID="$(cat "${account_file}")" fi +if [[ -z "${CLOUDFLARE_API_TOKEN:-}" && -f "${agenix_secret}" && -x "$(command -v agenix)" ]]; then + export CLOUDFLARE_API_TOKEN + CLOUDFLARE_API_TOKEN="$(agenix -d "${agenix_secret}")" +fi + if [[ -z "${CLOUDFLARE_API_TOKEN:-}" ]]; then echo "error: CLOUDFLARE_API_TOKEN is not set" >&2 exit 2 diff --git a/scripts/tea-login-codeberg.sh b/scripts/tea-login-codeberg.sh new file mode 100755 index 0000000..ecde576 --- /dev/null +++ b/scripts/tea-login-codeberg.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +set -euo pipefail + +root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +cd "${root}" + +# Forgejo CLI: `tea` (Gitea-compatible) +# +# Auth token source order: +# 1) CODEBERG_TOKEN env var +# 2) `agenix -d secrets/codeberg-token.age` (optional) + +if [[ -z "${CODEBERG_TOKEN:-}" && -f secrets/codeberg-token.age && -x "$(command -v agenix)" ]]; then + export CODEBERG_TOKEN + CODEBERG_TOKEN="$(agenix -d secrets/codeberg-token.age)" +fi + +if [[ -z "${CODEBERG_TOKEN:-}" ]]; then + echo "error: CODEBERG_TOKEN is not set" >&2 + echo "hint: set CODEBERG_TOKEN or create secrets/codeberg-token.age via agenix" >&2 + exit 2 +fi + +# Name the login "codeberg" and point at https://codeberg.org. +tea login add --name codeberg --url https://codeberg.org --token "${CODEBERG_TOKEN}" --insecure=false +echo "tea configured. Try: tea repo ls" + diff --git a/secrets/README.md b/secrets/README.md new file mode 100644 index 0000000..434cb4b --- /dev/null +++ b/secrets/README.md @@ -0,0 +1,38 @@ +# Secrets (agenix) + +This repo supports optional local secrets management via `agenix`. + +CI should prefer Forgejo Actions secrets (e.g. `CLOUDFLARE_API_TOKEN`) rather than decrypting secrets in runners. + +## Files + +- `secrets/secrets.nix`: recipients + secret file mapping +- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (optional) +- `secrets/codeberg-token.age`: encrypted Codeberg/Forgejo token for `tea` (optional) + +## Create / edit secrets (local) + +Enter the dev shell: + +```sh +nix develop +``` + +Encrypt (create) a secret: + +```sh +cd secrets +agenix -e cloudflare-api-token.age +``` + +Decrypt (inspect) a secret: + +```sh +cd secrets +agenix -d cloudflare-api-token.age +``` + +## Decryption identity + +`agenix` decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo. + diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..7e956dc --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,9 @@ +let + # Founder SSH public key (recipient). Safe to commit. + founder = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJCBTSEEcBOhOkf3WF1e8xmblAZHvgTibFsqck2GY8D/"; +in +{ + "cloudflare-api-token.age".publicKeys = [ founder ]; + "codeberg-token.age".publicKeys = [ founder ]; +} +