# Per-machine secrets, sourced by .zshrc on shell start. # This file is encrypted via age before being committed to chezmoi — # the live disk copy lives at ~/.config/fleet-dotfiles/secrets.env. # # To enable encryption on a real fleet: # 1. Place this file at ~/.config/fleet-dotfiles/secrets.env # 2. chmod 600 ~/.config/fleet-dotfiles/secrets.env # 3. Replace placeholder values with real ones # 4. chezmoi add --encrypt ~/.config/fleet-dotfiles/secrets.env # (chezmoi auto-renames it to encrypted_private_secrets.env.age in source) # 5. The auto-sync watcher commits + pushes the encrypted version on edit # # Never commit the unencrypted version. Variables you don't use can be # deleted; the list below is illustrative of what a real fleet might carry. # ───────── Cloudflare ───────── # Account ID + API tokens for Pages deploys, Workers, DNS API export CLOUDFLARE_ACCOUNT_ID="" export CLOUDFLARE_API_KEY="" export CLOUDFLARE_EMAIL="" # ───────── Domain registrar (Porkbun) ───────── export PORKBUN_API_KEY="" export PORKBUN_SECRET_KEY="" # ───────── Tailscale (for fleet access ACLs / DNS API) ───────── export TAILSCALE_API_KEY="" # ───────── HuggingFace ───────── export HF_TOKEN="" export HUGGINGFACE_TOKEN="" # ───────── LLM API providers ───────── export OPENAI_API_KEY="" export ANTHROPIC_API_KEY="" export GEMINI_API_KEY="" # ───────── Gitea (this template's host) ───────── export GITEA_URL="" export GITEA_USER="" export GITEA_TOKEN="" # ───────── Anything else ───────── # Add per-service tokens here. Naming convention: SERVICE_PURPOSE_KIND # e.g. STRIPE_LIVE_SECRET_KEY, DISCORD_BOT_TOKEN