every-channel/every.channel
1
0
Fork 0
Code Releases Activity Actions 2
every.channel/secrets
History
every.channel 043b1730dc
ops: move to forgejo-primary hosting with mirror-only codeberg/github
2026-02-28 00:48:12 -08:00
..
cloudflare-api-token.age ci: switch deploy secrets to age key workflow 2026-02-16 00:59:52 -05:00
codeberg-token.age ci: switch deploy secrets to age key workflow 2026-02-16 00:59:52 -05:00
README.md ops: move to forgejo-primary hosting with mirror-only codeberg/github 2026-02-28 00:48:12 -08:00

README.md

Secrets (agenix)

This repo supports local + CI secrets management via agenix/age.

CI deploys use one Forgejo Actions secret:

  • AGE_FORGE_SSH_KEY: SSH private key used to decrypt repo-tracked .age files.

Set/update it with:

nix develop -c ./scripts/fj-set-age-key-secret.sh ~/.config/every.channel/keys/forge_ci_ed25519

Files

  • secrets/secrets.nix: recipients + secret file mapping
  • secrets/cloudflare-api-token.age: encrypted Cloudflare API token (used by deploy workflow)
  • secrets/forge-token.age: encrypted Forgejo API token for admin scripts (optional, preferred)
  • secrets/codeberg-token.age: encrypted Codeberg token for compatibility/mirror admin scripts (optional)

Create / edit secrets (local)

Enter the dev shell:

nix develop

Encrypt (create) a secret:

agenix -e secrets/cloudflare-api-token.age

Decrypt (inspect) a secret:

agenix -d secrets/cloudflare-api-token.age

Decryption identity

agenix/age decrypts using SSH private key material. The private key must be available locally (or injected as CI secret) and is never committed to the repo.