38 lines
844 B
Markdown
38 lines
844 B
Markdown
# Secrets (agenix)
|
|
|
|
This repo supports optional local secrets management via `agenix`.
|
|
|
|
CI should prefer Forgejo Actions secrets (e.g. `CLOUDFLARE_API_TOKEN`) rather than decrypting secrets in runners.
|
|
|
|
## Files
|
|
|
|
- `secrets/secrets.nix`: recipients + secret file mapping
|
|
- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (optional)
|
|
- `secrets/codeberg-token.age`: encrypted Codeberg/Forgejo token for `tea` (optional)
|
|
|
|
## Create / edit secrets (local)
|
|
|
|
Enter the dev shell:
|
|
|
|
```sh
|
|
nix develop
|
|
```
|
|
|
|
Encrypt (create) a secret:
|
|
|
|
```sh
|
|
cd secrets
|
|
agenix -e cloudflare-api-token.age
|
|
```
|
|
|
|
Decrypt (inspect) a secret:
|
|
|
|
```sh
|
|
cd secrets
|
|
agenix -d cloudflare-api-token.age
|
|
```
|
|
|
|
## Decryption identity
|
|
|
|
`agenix` decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.
|
|
|