diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index 8980363..ab99044 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -167,6 +167,16 @@
       owner = "gitea-runner";
       group = "gitea-runner";
     };
+    # Git-crypt symmetric key for the unified nixos repo.
+    # Added additively in Phase 5 — the two legacy entries above stay until
+    # muffin has deployed this config at least once and the new CI pipeline
+    # is green end-to-end. Phase 6 removes them.
+    git-crypt-key-nixos = {
+      file = ../secrets/server/git-crypt-key-nixos.age;
+      mode = "0400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
 
     # Gitea Actions runner registration token
     gitea-runner-token = {
diff --git a/secrets/server/git-crypt-key-nixos.age b/secrets/server/git-crypt-key-nixos.age
new file mode 100644
index 0000000..241d347
Binary files /dev/null and b/secrets/server/git-crypt-key-nixos.age differ