scripts/cutover-muffin.sh: pre-seed nix-deploy + deploy + verify

Bundles Phases 5.5 + 6.2 + 6.3 into one invocation. Order-sensitive: pre-seed
must happen BEFORE the deploy-rs run so yarn's pull-update URL stays resolvable
across the harmonia /var/lib/dotfiles-deploy \u2192 /var/lib/nix-deploy rename.

scripts/cutover-muffin.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+# Phase 5.5 + 6.2 + 6.3 helper: deploy the unified nixos flake to muffin,
+# pre-seeding /var/lib/nix-deploy/ so yarn's pull-update keeps working across
+# the harmonia path rename.
+#
+# Run from the repo root on a machine that can SSH to root@server-public.
+# Assumes the caller has the new git-crypt key (or a GPG user added to the repo)
+# so that secrets/ is in plaintext on this machine.
+#
+# Sequence:
+#   1. Pre-seed /var/lib/nix-deploy/ on muffin from /var/lib/dotfiles-deploy/
+#   2. deploy-rs the new flake to muffin
+#   3. Verify /run/agenix/git-crypt-key-nixos exists + readable
+#   4. Verify /var/lib/nix-deploy/{mreow,yarn} still resolves via
+#      https://nix-cache.sigkill.computer/deploy/<host>
+#
+# If any step fails, the old paths are untouched — you can roll back by
+# deploying server-config.
+
+set -euo pipefail
+
+SSH_HOST="${SSH_HOST:-root@server-public}"
+
+echo "[1/4] Pre-seeding /var/lib/nix-deploy from /var/lib/dotfiles-deploy..."
+ssh "$SSH_HOST" '
+  set -euo pipefail
+  if [ -d /var/lib/dotfiles-deploy ] && [ ! -d /var/lib/nix-deploy ]; then
+    cp -a /var/lib/dotfiles-deploy /var/lib/nix-deploy
+    echo "  seeded $(ls /var/lib/nix-deploy | wc -l) entries"
+  elif [ -d /var/lib/nix-deploy ]; then
+    echo "  /var/lib/nix-deploy already present; leaving untouched"
+  else
+    echo "  WARN: /var/lib/dotfiles-deploy missing on server (ok if fresh install)"
+  fi
+'
+
+echo "[2/4] Deploying via deploy-rs..."
+nix run .#deploy -- .#muffin
+
+echo "[3/4] Verifying new agenix key is present..."
+ssh "$SSH_HOST" '
+  if [ -r /run/agenix/git-crypt-key-nixos ]; then
+    echo "  OK: /run/agenix/git-crypt-key-nixos ($(stat -c%s /run/agenix/git-crypt-key-nixos) bytes)"
+  else
+    echo "  FAIL: /run/agenix/git-crypt-key-nixos missing or unreadable" >&2
+    exit 1
+  fi
+  # Confirm it belongs to gitea-runner
+  owner=$(stat -c%U /run/agenix/git-crypt-key-nixos)
+  if [ "$owner" = "gitea-runner" ]; then
+    echo "  OK: owned by gitea-runner"
+  else
+    echo "  WARN: owner is $owner (expected gitea-runner)"
+  fi
+'
+
+echo "[4/4] Verifying yarn pull-update path still resolves..."
+ssh "$SSH_HOST" '
+  if [ -f /var/lib/nix-deploy/yarn ]; then
+    echo "  OK: /var/lib/nix-deploy/yarn points at $(cat /var/lib/nix-deploy/yarn)"
+  else
+    echo "  WARN: /var/lib/nix-deploy/yarn missing (harmless on first CI run from new repo)"
+  fi
+'
+
+echo ""
+echo "Done. muffin is running the unified flake. The old server-config Gitea"
+echo "Actions pipeline should be disabled next (Phase 6.1) before the first"
+echo "push to the new nixos Gitea repo — otherwise both will race for the"
+echo "binary cache write paths."