burrow/secrets

Secrets

Burrow secrets live in secrets/<name>.age and are managed with agenix.

For the Forgejo Namespace Cloud runtime:

• secrets/forgejo/admin-password.age
• secrets/forgejo/agent-ssh-key.age
• secrets/forgejo/nsc-token.age
• secrets/forgejo/nsc-dispatcher-config.age
• secrets/forgejo/nsc-autoscaler-config.age
• secrets/cloudflare/api-token.age
• secrets/hetzner/api-token.age
• secrets/forwardemail/api-token.age
• secrets/forwardemail/hetzner-s3-user.age
• secrets/forwardemail/hetzner-s3-secret.age

Use:

• make secret name=forgejo/nsc-token
• make secret-file name=forgejo/agent-ssh-key file=/path/to/source
• Scripts/provision-forgejo-nsc.sh to refresh the Forgejo Namespace token and runtime configs in secrets/forgejo/*.age
• make secret-file name=cloudflare/api-token file=/path/to/cloudflare-token.txt
• make secret-file name=hetzner/api-token file=/path/to/hetzner-api-token.txt

The forge host decrypts these files at activation time and feeds the resulting paths into services.burrow.forge, services.burrow.forgeRunner, and services.burrow.forgejoNsc.