Secrets (agenix)

This repo supports local + CI secrets management via agenix/age.

CI deploys use one Forgejo Actions secret:

AGE_FORGE_SSH_KEY: SSH private key used to decrypt repo-tracked .age files.

Set/update it with:

nix develop -c ./scripts/fj-set-age-key-secret.sh ~/.config/every.channel/keys/forge_ci_ed25519

Files

secrets/secrets.nix: recipients + secret file mapping
secrets/cloudflare-api-token.age: encrypted Cloudflare API token (used by deploy workflow)
secrets/forge-token.age: encrypted Forgejo API token for admin scripts (optional, preferred)
secrets/codeberg-token.age: encrypted Codeberg token for compatibility/mirror admin scripts (optional)

Create / edit secrets (local)

Enter the dev shell:

nix develop

Encrypt (create) a secret:

agenix -e secrets/cloudflare-api-token.age

Decrypt (inspect) a secret:

agenix -d secrets/cloudflare-api-token.age

Decryption identity

agenix/age decrypts using SSH private key material. The private key must be available locally (or injected as CI secret) and is never committed to the repo.

1.1 KiB Raw Blame History

Secrets (agenix)

Files

Create / edit secrets (local)

Decryption identity

1.1 KiB

Raw Blame History