48 lines
1.6 KiB
Markdown
48 lines
1.6 KiB
Markdown
# Secrets (agenix)
|
|
|
|
This repo supports local + CI secrets management via `agenix`/`age`.
|
|
|
|
CI deploys use one Forgejo Actions secret:
|
|
|
|
- `AGE_FORGE_SSH_KEY`: SSH private key used to decrypt repo-tracked `.age` files.
|
|
|
|
Set/update it with:
|
|
|
|
```sh
|
|
nix develop -c ./scripts/fj-set-age-key-secret.sh ~/.config/every.channel/keys/forge_ci_ed25519
|
|
```
|
|
|
|
## Files
|
|
|
|
- `secrets.nix`: recipients + secret file mapping
|
|
- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (used by deploy workflow)
|
|
- `secrets/forgejo-api-token.age`: encrypted Forgejo API token (preferred) for admin scripts and `ecp-forge` netboot staging
|
|
- `secrets/forge-token.age`: legacy encrypted Forgejo API token path for compatibility
|
|
- `secrets/codeberg-token.age`: encrypted Codeberg token for compatibility/mirror admin scripts (optional)
|
|
- `secrets/netboot-chain-token.age`: encrypted chain token used by `services.every-channel.netboot.chainTokenFile`
|
|
- `secrets/op-stack-sepolia-private-key.age`: encrypted Sepolia operator private key used by `services.every-channel.op-stack.privateKeyFile`
|
|
- `secrets/op-stack-challenger-prestate.bin.gz.age`: encrypted Cannon absolute prestate artifact used by `services.every-channel.op-stack.challengerPrestateFile`
|
|
|
|
## Create / edit secrets (local)
|
|
|
|
Enter the dev shell:
|
|
|
|
```sh
|
|
nix develop
|
|
```
|
|
|
|
Encrypt (create) a secret:
|
|
|
|
```sh
|
|
agenix -e secrets/cloudflare-api-token.age
|
|
```
|
|
|
|
Decrypt (inspect) a secret:
|
|
|
|
```sh
|
|
agenix -d secrets/cloudflare-api-token.age
|
|
```
|
|
|
|
## Decryption identity
|
|
|
|
`agenix`/`age` decrypts using SSH private key material. The private key must be available locally (or injected as CI secret) and is never committed to the repo.
|