# Secrets (agenix)

This repo supports optional local secrets management via `agenix`.

CI should prefer Forgejo Actions secrets (e.g. `CLOUDFLARE_API_TOKEN`) rather than decrypting secrets in runners.

## Files

- `secrets/secrets.nix`: recipients + secret file mapping
- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (optional)
- `secrets/codeberg-token.age`: encrypted Codeberg/Forgejo token for `tea` (optional)

## Create / edit secrets (local)

Enter the dev shell:

```sh
nix develop
```

Encrypt (create) a secret:

```sh
cd secrets
agenix -e cloudflare-api-token.age
```

Decrypt (inspect) a secret:

```sh
cd secrets
agenix -d cloudflare-api-token.age
```

## Decryption identity

`agenix` decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.