41 lines
1.4 KiB
Markdown
41 lines
1.4 KiB
Markdown
# ECP-0061: agenix Secrets (Local Dev Convenience)
|
|
|
|
Status: Draft
|
|
|
|
Note: CI handling in this proposal is superseded by `ECP-0062` (single SSH identity + repo-encrypted secrets for deploy).
|
|
|
|
## Goal
|
|
|
|
Provide a simple, repo-native way to manage a small set of long-lived tokens for local development without committing plaintext secrets:
|
|
|
|
- Cloudflare API token (local `wrangler deploy`)
|
|
- Codeberg token (optional; for `fj` CLI)
|
|
|
|
## Non-Goals
|
|
|
|
- CI secrets management (CI should use Forgejo Actions secrets).
|
|
- A general secret distribution scheme for the network protocol.
|
|
|
|
## Proposal
|
|
|
|
1. Add `secrets/` using `agenix`:
|
|
- `secrets/secrets.nix` maps secret filenames to recipients.
|
|
- Encrypted files (optional, not required to exist):
|
|
- `secrets/cloudflare-api-token.age`
|
|
- `secrets/codeberg-token.age`
|
|
2. Add tools to the nix dev shell:
|
|
- `agenix`
|
|
- `forgejo-cli` (`fj`)
|
|
3. Update scripts to use these secrets opportunistically:
|
|
- `scripts/deploy-workers.sh` loads `CLOUDFLARE_API_TOKEN` via `agenix -d` when present.
|
|
- `scripts/fj-auth-codeberg.sh` configures `fj` using `CODEBERG_TOKEN` (env) or `agenix`.
|
|
|
|
## Rationale
|
|
|
|
`agenix` keeps sensitive tokens out of git while still being easy to use on a single machine.
|
|
CI remains clean and auditable by using the platform's secret store.
|
|
|
|
## Rollout / Reversibility
|
|
|
|
- Additive. If a developer doesn't use `agenix`, nothing breaks.
|
|
- Easy to remove later if a different secret system is adopted.
|