Secrets (agenix)

This repo supports optional local secrets management via agenix.

CI should prefer Forgejo Actions secrets (e.g. CLOUDFLARE_API_TOKEN) rather than decrypting secrets in runners.

Files

secrets/secrets.nix: recipients + secret file mapping
secrets/cloudflare-api-token.age: encrypted Cloudflare API token (optional)
secrets/codeberg-token.age: encrypted Codeberg/Forgejo token for fj (optional)

Enter the dev shell:

nix develop

Encrypt (create) a secret:

agenix -e secrets/cloudflare-api-token.age

Decrypt (inspect) a secret:

agenix -d secrets/cloudflare-api-token.age

agenix decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.