# Secrets (agenix)

This repo supports local + CI secrets management via `agenix`/`age`.

CI deploys use one Forgejo Actions secret:

- `AGE_FORGE_SSH_KEY`: SSH private key used to decrypt repo-tracked `.age` files.

Set/update it with:

```sh
nix develop -c ./scripts/fj-set-age-key-secret.sh ~/.config/every.channel/keys/forge_ci_ed25519
```

## Files

- `secrets.nix`: recipients + secret file mapping
- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (used by deploy workflow)
- `secrets/forgejo-api-token.age`: encrypted Forgejo API token (preferred) for admin scripts and `ecp-forge` netboot staging
- `secrets/forge-token.age`: legacy encrypted Forgejo API token path for compatibility
- `secrets/codeberg-token.age`: encrypted Codeberg token for compatibility/mirror admin scripts (optional)
- `secrets/netboot-chain-token.age`: encrypted chain token used by `services.every-channel.netboot.chainTokenFile`
- `secrets/op-stack-sepolia-private-key.age`: encrypted Sepolia operator private key used by `services.every-channel.op-stack.privateKeyFile`
- `secrets/op-stack-challenger-prestate.bin.gz.age`: encrypted Cannon absolute prestate artifact used by `services.every-channel.op-stack.challengerPrestateFile`

## Create / edit secrets (local)

Enter the dev shell:

```sh
nix develop
```

Encrypt (create) a secret:

```sh
agenix -e secrets/cloudflare-api-token.age
```

Decrypt (inspect) a secret:

```sh
agenix -d secrets/cloudflare-api-token.age
```

## Decryption identity

`agenix`/`age` decrypts using SSH private key material. The private key must be available locally (or injected as CI secret) and is never committed to the repo.