dev: add tea + agenix; optional agenix tokens

2026-02-15 17:20:58 -05:00 · 2026-02-15 17:20:58 -05:00 · 810556aa99
commit 810556aa99
parent b16a26c014
5 changed files with 84 additions and 0 deletions
--- a/secrets/README.md
+++ b/secrets/README.md
@ -0,0 +1,38 @@
+# Secrets (agenix)
+
+This repo supports optional local secrets management via `agenix`.
+
+CI should prefer Forgejo Actions secrets (e.g. `CLOUDFLARE_API_TOKEN`) rather than decrypting secrets in runners.
+
+## Files
+
+- `secrets/secrets.nix`: recipients + secret file mapping
+- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (optional)
+- `secrets/codeberg-token.age`: encrypted Codeberg/Forgejo token for `tea` (optional)
+
+## Create / edit secrets (local)
+
+Enter the dev shell:
+
+```sh
+nix develop
+```
+
+Encrypt (create) a secret:
+
+```sh
+cd secrets
+agenix -e cloudflare-api-token.age
+```
+
+Decrypt (inspect) a secret:
+
+```sh
+cd secrets
+agenix -d cloudflare-api-token.age
+```
+
+## Decryption identity
+
+`agenix` decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.
+
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,9 @@
+let
+  # Founder SSH public key (recipient). Safe to commit.
+  founder = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJCBTSEEcBOhOkf3WF1e8xmblAZHvgTibFsqck2GY8D/";
+in
+{
+  "cloudflare-api-token.age".publicKeys = [ founder ];
+  "codeberg-token.age".publicKeys = [ founder ];
+}
+