From 25d6e7eead57d98b949a229271d5e88faa45b270 Mon Sep 17 00:00:00 2001
From: primary <primary@local>
Date: Sat, 18 Apr 2026 01:37:14 -0400
Subject: [PATCH] phase 6: remove legacy git-crypt-key-{dotfiles,server-config}
 agenix entries

Unified CI on nixos repo is proven end-to-end (CI run on 836f80a deployed to
muffin successfully and yarn's pull URL now serves from the new build). The
two per-repo git-crypt keys are no longer in use by any active pipeline.
Old dotfiles and server-config repos had Gitea Actions disabled before this
commit, so no CI race possible.
---
 modules/age-secrets.nix                       |  18 ------------------
 secrets/server/git-crypt-key-dotfiles.age     | Bin 382 -> 0 bytes
 .../server/git-crypt-key-server-config.age    | Bin 382 -> 0 bytes
 3 files changed, 18 deletions(-)
 delete mode 100644 secrets/server/git-crypt-key-dotfiles.age
 delete mode 100644 secrets/server/git-crypt-key-server-config.age

diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index ab99044..116b4b7 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -152,25 +152,7 @@
       group = "gitea-runner";
     };
 
-    # Git-crypt symmetric key for dotfiles repo
-    git-crypt-key-dotfiles = {
-      file = ../secrets/server/git-crypt-key-dotfiles.age;
-      mode = "0400";
-      owner = "gitea-runner";
-      group = "gitea-runner";
-    };
-
-    # Git-crypt symmetric key for server-config repo
-    git-crypt-key-server-config = {
-      file = ../secrets/server/git-crypt-key-server-config.age;
-      mode = "0400";
-      owner = "gitea-runner";
-      group = "gitea-runner";
-    };
     # Git-crypt symmetric key for the unified nixos repo.
-    # Added additively in Phase 5 — the two legacy entries above stay until
-    # muffin has deployed this config at least once and the new CI pipeline
-    # is green end-to-end. Phase 6 removes them.
     git-crypt-key-nixos = {
       file = ../secrets/server/git-crypt-key-nixos.age;
       mode = "0400";
diff --git a/secrets/server/git-crypt-key-dotfiles.age b/secrets/server/git-crypt-key-dotfiles.age
deleted file mode 100644
index 9d58c6181dedd985e0c22a4ce200acf37821e6c4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 382
zcmZQ@_Y83kiVO&0n8RjXxp+CppESk0TQ>EJtF1kI<Bg1L<jR9<_$JIvd+7XeYbv+t
z_Q&<B*K*Adj5c08@k{1keePvKU1zjEXU$VwS-R(8B;!y0gbT%M5@YuLSCjuy-gG<o
zi~c(EzZ;ahKID9VzP4oj+3;`i7a1g1{R#?vUvRfjyEpXB?ZfZaw46DkR%~W&A~b_v
zWL1CL(-=09^7<8DRs1F^6fY_`eu`Os|22({)@=65igh{rzqp9?h)m0DQJ;5Y#_`ge
zZD;0a-(1RPewW$Iit|R|5$TQFLgZGJi+GkxsAN6;n72H+&sZsc4galoJuQbOdbr5%
z$)6LO#BaOr#==V$JZD$cd3W!xG~lh_zRs<6;zoh{?d7RC4?jx@-Bd0&-4^ZU*|k}I
z#@|VTi+;^~^4aC*<EnO#d4IWPyw%n9TgH(n{_F0kru1<3N2TvO8PCVAalhcq5~X<B
t-Sc<U(sHG?i#D@@TQ^J-{rPcn|9i<f=9&B=e;Gu7wTbF%G5z~v2>_7;y9)pS

diff --git a/secrets/server/git-crypt-key-server-config.age b/secrets/server/git-crypt-key-server-config.age
deleted file mode 100644
index 87fe9014e9097493e5484851ca3b306943d9eb04..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 382
zcmZQ@_Y83kiVO&0ut|(>Q`soY`E>`AsGhit=N#d4ALo2$JhwD@oxcA2zQ6r%j!U?Q
z=bdN|pT^ehRP)ZUd}lP9|4yHZo!wFLxB5kVUUVE%HmKdIdu^XWy<+(lZk>0*ACH^v
z%nYwy{o_Y`x%0(|b3~axHaz|G-SuMi{9c7$zXH<o1$3>R{yiXfsc!zqy31$(?{b&b
zH+nM5f6wvh#<zd&^OT>#n`budzjX1jaGn1zjE+8d#&YS^IrEFBQf@oRosjc>A-a%J
zblpL<xP65OHc7l#DW?Bp@#Y<p(VE78Hw*2)C+W7yF+||M4fpkzW~;6}XDAL!N&j*E
z`V+r5Hh(I;)};lUJ9$d?_^p4EBAH)}Kh3-TGT%a2e_>t{@6R<KQ=4bqP3;!b<$m&8
zT&c2?%jjh7)phmzN?LNYJXs#+d6lR;o(y>VEl{}OUH{~+CEHIwjsDtHp6Fb5chR*|
tUQu0t{#XUpn&~@xZmT;fdnoqR{sqPLD#4Nb-c8Ln*@F%(Y5nh!2mp8+z-0gc