dev: add tea + agenix; optional agenix tokens
This commit is contained in:
every.channel
parent
b16a26c014
commit
810556aa99
5 changed files with 84 additions and 0 deletions
38
secrets/README.md
Normal file
38
secrets/README.md
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
# Secrets (agenix)
|
||||
|
||||
This repo supports optional local secrets management via `agenix`.
|
||||
|
||||
CI should prefer Forgejo Actions secrets (e.g. `CLOUDFLARE_API_TOKEN`) rather than decrypting secrets in runners.
|
||||
|
||||
## Files
|
||||
|
||||
- `secrets/secrets.nix`: recipients + secret file mapping
|
||||
- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (optional)
|
||||
- `secrets/codeberg-token.age`: encrypted Codeberg/Forgejo token for `tea` (optional)
|
||||
|
||||
## Create / edit secrets (local)
|
||||
|
||||
Enter the dev shell:
|
||||
|
||||
```sh
|
||||
nix develop
|
||||
```
|
||||
|
||||
Encrypt (create) a secret:
|
||||
|
||||
```sh
|
||||
cd secrets
|
||||
agenix -e cloudflare-api-token.age
|
||||
```
|
||||
|
||||
Decrypt (inspect) a secret:
|
||||
|
||||
```sh
|
||||
cd secrets
|
||||
agenix -d cloudflare-api-token.age
|
||||
```
|
||||
|
||||
## Decryption identity
|
||||
|
||||
`agenix` decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue