Wire namespace caches and agenix secrets

2026-03-19 03:51:53 -07:00 · 2026-03-19 03:51:53 -07:00 · 028627bfcb
commit 028627bfcb
parent 5bd95b7a7c
8 changed files with 66 additions and 102 deletions
--- a/services/forgejo-nsc/README.md
+++ b/services/forgejo-nsc/README.md
@ -46,8 +46,9 @@ profile. The important knobs are:
  Namespace environment. The dispatcher destroys the instance after a job so the
  TTL acts as a hard cap, not an idle timeout.
 - `namespace.linux_cache_*` / `namespace.macos_cache_*` – persistent cache
-  volumes mounted into runners so Linux can keep `/nix` plus build caches warm
-  and macOS can reuse Rust toolchains, Xcode package caches, and derived data.
+  volumes mounted into runners so Linux can keep `/nix` plus shared build
+  caches warm and macOS can reuse Rust toolchains, Xcode package caches, and
+  lane-local derived data.

 ### Running locally

@ -159,8 +160,8 @@ generate a Namespace token from the logged-in Namespace account, and refresh
 `secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age`.
 The token file is emitted as JSON with a `bearer_token` field so both the
 Compute API path and the `nsc` CLI fallback can consume the same secret
-material. Use `--write-intake` only when you explicitly need local plaintext
-debug copies.
+material. The forge host consumes the encrypted secrets through agenix; avoid
+keeping local plaintext `intake/` copies around.

 Long-lived runtime state is now sourced from age-encrypted files: