every.channel/secrets/README.md

Secrets (agenix)

This repo supports optional local secrets management via agenix.

CI should prefer Forgejo Actions secrets (e.g. CLOUDFLARE_API_TOKEN) rather than decrypting secrets in runners.

Files

• secrets/secrets.nix: recipients + secret file mapping
• secrets/cloudflare-api-token.age: encrypted Cloudflare API token (optional)
• secrets/codeberg-token.age: encrypted Codeberg/Forgejo token for tea (optional)

Create / edit secrets (local)

Enter the dev shell:

nix develop

Encrypt (create) a secret:

cd secrets
agenix -e cloudflare-api-token.age

Decrypt (inspect) a secret:

cd secrets
agenix -d cloudflare-api-token.age

Decryption identity

agenix decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.