History

every.channel 77dc6788f0 dev: use forgejo-cli (fj) instead of tea		2026-02-15 17:24:44 -05:00
..
README.md	dev: use forgejo-cli (fj) instead of tea	2026-02-15 17:24:44 -05:00
secrets.nix	dev: add tea + agenix; optional agenix tokens	2026-02-15 17:20:58 -05:00

Secrets (agenix)

This repo supports optional local secrets management via agenix.

CI should prefer Forgejo Actions secrets (e.g. CLOUDFLARE_API_TOKEN) rather than decrypting secrets in runners.

Files

secrets/secrets.nix: recipients + secret file mapping
secrets/cloudflare-api-token.age: encrypted Cloudflare API token (optional)
secrets/codeberg-token.age: encrypted Codeberg/Forgejo token for fj (optional)

Enter the dev shell:

nix develop

Encrypt (create) a secret:

cd secrets
agenix -e cloudflare-api-token.age

Decrypt (inspect) a secret:

cd secrets
agenix -d cloudflare-api-token.age

agenix decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.