nixcfg/cluster/prod/app/drone-ci/secrets.toml

# Drone's secrets

[secrets."drone-ci/rpc_secret"]
type = 'command'
command = 'openssl rand -hex 16'
# don't rotate, it would break all runners

[secrets."drone-ci/cookie_secret"]
type = 'command'
rotate = true
command = 'openssl rand -hex 16'

[secrets."drone-ci/db_enc_secret"]
type = 'command'
command = 'openssl rand -hex 16'
# don't rotate, it is used to encrypt data which we would lose if we change this


# Oauth config for gitea

[secrets."drone-ci/oauth_client_secret"]
type = 'user'
description = 'OAuth client secret (for gitea)'

[secrets."drone-ci/oauth_client_id"]
type = 'user'
description = 'OAuth client ID (on Gitea)'


# S3 config for Git LFS storage

[secrets."drone-ci/s3_db_bucket"]
type = 'constant'
value = 'drone-db'

[secrets."drone-ci/s3_sk"]
type = 'user'
description = 'S3 (garage) secret key for Drone'

[secrets."drone-ci/s3_ak"]
type = 'user'
description = 'S3 (garage) access key for Drone'

[secrets."drone-ci/s3_storage_bucket"]
type = 'constant'
value = 'drone-storage'