# Secrets

Burrow secrets live in `secrets/<name>.age` and are managed with `agenix`.

For the Forgejo Namespace Cloud runtime:

- `secrets/forgejo/admin-password.age`
- `secrets/forgejo/agent-ssh-key.age`
- `secrets/forgejo/nsc-token.age`
- `secrets/forgejo/nsc-dispatcher-config.age`
- `secrets/forgejo/nsc-autoscaler-config.age`
- `secrets/cloudflare/api-token.age`
- `secrets/hetzner/api-token.age`
- `secrets/forwardemail/api-token.age`
- `secrets/forwardemail/hetzner-s3-user.age`
- `secrets/forwardemail/hetzner-s3-secret.age`

Use:

- `make secret name=forgejo/nsc-token`
- `make secret-file name=forgejo/agent-ssh-key file=/path/to/source`
- `Scripts/provision-forgejo-nsc.sh` to refresh the Forgejo Namespace token and runtime configs in `secrets/forgejo/*.age`
- `make secret-file name=cloudflare/api-token file=/path/to/cloudflare-token.txt`
- `make secret-file name=hetzner/api-token file=/path/to/hetzner-api-token.txt`

The forge host decrypts these files at activation time and feeds the resulting
paths into `services.burrow.forge`, `services.burrow.forgeRunner`, and
`services.burrow.forgejoNsc`.