Rotate operator secrets into agenix and deepen caches

2026-03-19 00:28:18 -07:00 · 2026-03-19 00:28:18 -07:00 · 03415e579b
commit 03415e579b
parent 7039bf5aad
28 changed files with 526 additions and 126 deletions
--- a/secrets/README.md
+++ b/secrets/README.md
@ -9,11 +9,19 @@ For the Forgejo Namespace Cloud runtime:
 - `secrets/forgejo/nsc-token.age`
 - `secrets/forgejo/nsc-dispatcher-config.age`
 - `secrets/forgejo/nsc-autoscaler-config.age`
+- `secrets/cloudflare/api-token.age`
+- `secrets/hetzner/api-token.age`
+- `secrets/forwardemail/api-token.age`
+- `secrets/forwardemail/hetzner-s3-user.age`
+- `secrets/forwardemail/hetzner-s3-secret.age`

 Use:

 - `make secret name=forgejo/nsc-token`
 - `make secret-file name=forgejo/agent-ssh-key file=/path/to/source`
+- `Scripts/provision-forgejo-nsc.sh` to refresh the Forgejo Namespace token and runtime configs in `secrets/forgejo/*.age`
+- `make secret-file name=cloudflare/api-token file=/path/to/cloudflare-token.txt`
+- `make secret-file name=hetzner/api-token file=/path/to/hetzner-api-token.txt`

 The forge host decrypts these files at activation time and feeds the resulting
 paths into `services.burrow.forge`, `services.burrow.forgeRunner`, and