every-channel/every.channel
1
0
Fork 0
Code Releases Activity Actions 2
every.channel/evolution/proposals/ECP-0061-agenix-secrets.md
every.channel 6cb4a9e401
ECP-0061: agenix secrets for local dev tokens
2026-02-15 17:21:23 -05:00

1.3 KiB
Raw Blame History

ECP-0061: agenix Secrets (Local Dev Convenience)

Status: Draft

Goal

Provide a simple, repo-native way to manage a small set of long-lived tokens for local development without committing plaintext secrets:

  • Cloudflare API token (local wrangler deploy)
  • Codeberg token (optional; for tea CLI)

Non-Goals

  • CI secrets management (CI should use Forgejo Actions secrets).
  • A general secret distribution scheme for the network protocol.

Proposal

  1. Add secrets/ using agenix:
    • secrets/secrets.nix maps secret filenames to recipients.
    • Encrypted files (optional, not required to exist):
      • secrets/cloudflare-api-token.age
      • secrets/codeberg-token.age
  2. Add tools to the nix dev shell:
    • agenix
    • tea (Forgejo/Gitea-compatible CLI)
  3. Update scripts to use these secrets opportunistically:
    • scripts/deploy-workers.sh loads CLOUDFLARE_API_TOKEN via agenix -d when present.
    • scripts/tea-login-codeberg.sh configures tea using CODEBERG_TOKEN (env) or agenix.

Rationale

agenix keeps sensitive tokens out of git while still being easy to use on a single machine. CI remains clean and auditable by using the platform's secret store.

Rollout / Reversibility

  • Additive. If a developer doesn't use agenix, nothing breaks.
  • Easy to remove later if a different secret system is adopted.