dev: add tea + agenix; optional agenix tokens

flake.nix

@@ -46,6 +46,8 @@
             ffmpeg
             nodejs_22
             nodePackages.wrangler
+            agenix
+            tea
             uv
             git
             just
@@ -73,6 +75,8 @@
             pkg-config
             openssl
             ffmpeg
+            agenix
+            tea
             git
           ];
 

scripts/deploy-workers.sh

@@ -8,6 +8,7 @@ cd "${root}"
 # Prefer setting env vars directly in CI (`CLOUDFLARE_API_TOKEN`).
 token_file="${EVERY_CHANNEL_CF_TOKEN_FILE:-}"
 account_file="${EVERY_CHANNEL_CF_ACCOUNT_FILE:-}"
+agenix_secret="${EVERY_CHANNEL_CF_TOKEN_AGE_SECRET:-secrets/cloudflare-api-token.age}"
 
 if [[ -z "${CLOUDFLARE_API_TOKEN:-}" && -n "${token_file}" && -f "${token_file}" ]]; then
   export CLOUDFLARE_API_TOKEN
@@ -19,6 +20,11 @@ if [[ -z "${CLOUDFLARE_ACCOUNT_ID:-}" && -n "${account_file}" && -f "${account_f
   CLOUDFLARE_ACCOUNT_ID="$(cat "${account_file}")"
 fi
 
+if [[ -z "${CLOUDFLARE_API_TOKEN:-}" && -f "${agenix_secret}" && -x "$(command -v agenix)" ]]; then
+  export CLOUDFLARE_API_TOKEN
+  CLOUDFLARE_API_TOKEN="$(agenix -d "${agenix_secret}")"
+fi
+
 if [[ -z "${CLOUDFLARE_API_TOKEN:-}" ]]; then
   echo "error: CLOUDFLARE_API_TOKEN is not set" >&2
   exit 2

scripts/tea-login-codeberg.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "${root}"
+
+# Forgejo CLI: `tea` (Gitea-compatible)
+#
+# Auth token source order:
+# 1) CODEBERG_TOKEN env var
+# 2) `agenix -d secrets/codeberg-token.age` (optional)
+
+if [[ -z "${CODEBERG_TOKEN:-}" && -f secrets/codeberg-token.age && -x "$(command -v agenix)" ]]; then
+  export CODEBERG_TOKEN
+  CODEBERG_TOKEN="$(agenix -d secrets/codeberg-token.age)"
+fi
+
+if [[ -z "${CODEBERG_TOKEN:-}" ]]; then
+  echo "error: CODEBERG_TOKEN is not set" >&2
+  echo "hint: set CODEBERG_TOKEN or create secrets/codeberg-token.age via agenix" >&2
+  exit 2
+fi
+
+# Name the login "codeberg" and point at https://codeberg.org.
+tea login add --name codeberg --url https://codeberg.org --token "${CODEBERG_TOKEN}" --insecure=false
+echo "tea configured. Try: tea repo ls"
+

secrets/README.md

@@ -0,0 +1,38 @@
+# Secrets (agenix)
+
+This repo supports optional local secrets management via `agenix`.
+
+CI should prefer Forgejo Actions secrets (e.g. `CLOUDFLARE_API_TOKEN`) rather than decrypting secrets in runners.
+
+## Files
+
+- `secrets/secrets.nix`: recipients + secret file mapping
+- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (optional)
+- `secrets/codeberg-token.age`: encrypted Codeberg/Forgejo token for `tea` (optional)
+
+## Create / edit secrets (local)
+
+Enter the dev shell:
+
+```sh
+nix develop
+```
+
+Encrypt (create) a secret:
+
+```sh
+cd secrets
+agenix -e cloudflare-api-token.age
+```
+
+Decrypt (inspect) a secret:
+
+```sh
+cd secrets
+agenix -d cloudflare-api-token.age
+```
+
+## Decryption identity
+
+`agenix` decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.
+

secrets/secrets.nix

@@ -0,0 +1,9 @@
+let
+  # Founder SSH public key (recipient). Safe to commit.
+  founder = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJCBTSEEcBOhOkf3WF1e8xmblAZHvgTibFsqck2GY8D/";
+in
+{
+  "cloudflare-api-token.age".publicKeys = [ founder ];
+  "codeberg-token.age".publicKeys = [ founder ];
+}
+