every.channel/secrets

Secrets (agenix)

This repo supports local + CI secrets management via agenix/age.

CI deploys use one Forgejo Actions secret:

• AGE_FORGE_SSH_KEY: SSH private key used to decrypt repo-tracked .age files.

Set/update it with:

nix develop -c ./scripts/fj-set-age-key-secret.sh ~/.config/every.channel/keys/forge_ci_ed25519

Files

• secrets.nix: recipients + secret file mapping
• secrets/cloudflare-api-token.age: encrypted Cloudflare API token (used by deploy workflow)
• secrets/forgejo-api-token.age: encrypted Forgejo API token (preferred) for admin scripts and ecp-forge netboot staging
• secrets/forge-token.age: legacy encrypted Forgejo API token path for compatibility
• secrets/codeberg-token.age: encrypted Codeberg token for compatibility/mirror admin scripts (optional)
• secrets/netboot-chain-token.age: encrypted chain token used by services.every-channel.netboot.chainTokenFile
• secrets/op-stack-sepolia-private-key.age: encrypted Sepolia operator private key used by services.every-channel.op-stack.privateKeyFile
• secrets/op-stack-challenger-prestate.bin.gz.age: encrypted Cannon absolute prestate artifact used by services.every-channel.op-stack.challengerPrestateFile

Create / edit secrets (local)

Enter the dev shell:

nix develop

Encrypt (create) a secret:

agenix -e secrets/cloudflare-api-token.age

Decrypt (inspect) a secret:

agenix -d secrets/cloudflare-api-token.age

Decryption identity

agenix/age decrypts using SSH private key material. The private key must be available locally (or injected as CI secret) and is never committed to the repo.