every.channel/secrets/README.md

# Secrets (agenix)

This repo supports local + CI secrets management via `agenix`/`age`.

CI deploys use one Forgejo Actions secret:

- `AGE_FORGE_SSH_KEY`: SSH private key used to decrypt repo-tracked `.age` files.

Set/update it with:

```sh
nix develop -c ./scripts/fj-set-age-key-secret.sh ~/.config/every.channel/keys/forge_ci_ed25519
```

## Files

- `secrets/secrets.nix`: recipients + secret file mapping
- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (used by deploy workflow)
- `secrets/forge-token.age`: encrypted Forgejo API token for admin scripts (optional, preferred)
- `secrets/codeberg-token.age`: encrypted Codeberg token for compatibility/mirror admin scripts (optional)

## Create / edit secrets (local)

Enter the dev shell:

```sh
nix develop
```

Encrypt (create) a secret:

```sh
agenix -e secrets/cloudflare-api-token.age
```

Decrypt (inspect) a secret:

```sh
agenix -d secrets/cloudflare-api-token.age
```

## Decryption identity

`agenix`/`age` decrypts using SSH private key material. The private key must be available locally (or injected as CI secret) and is never committed to the repo.