From c7712e57ffcb9fcee43556d13da2b7a4b0ea0c1a Mon Sep 17 00:00:00 2001
From: primary <primary@local>
Date: Sat, 18 Apr 2026 01:14:09 -0400
Subject: [PATCH] phase 5: add git-crypt-key-nixos agenix entry (additive)

The two legacy entries git-crypt-key-{dotfiles,server-config} stay until
muffin has deployed this config at least once and the new CI pipeline is
green. Phase 6 removes them after cutover.
---
 modules/age-secrets.nix                |  10 ++++++++++
 secrets/server/git-crypt-key-nixos.age | Bin 0 -> 382 bytes
 2 files changed, 10 insertions(+)
 create mode 100644 secrets/server/git-crypt-key-nixos.age

diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index 8980363..ab99044 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -167,6 +167,16 @@
       owner = "gitea-runner";
       group = "gitea-runner";
     };
+    # Git-crypt symmetric key for the unified nixos repo.
+    # Added additively in Phase 5 — the two legacy entries above stay until
+    # muffin has deployed this config at least once and the new CI pipeline
+    # is green end-to-end. Phase 6 removes them.
+    git-crypt-key-nixos = {
+      file = ../secrets/server/git-crypt-key-nixos.age;
+      mode = "0400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
 
     # Gitea Actions runner registration token
     gitea-runner-token = {
diff --git a/secrets/server/git-crypt-key-nixos.age b/secrets/server/git-crypt-key-nixos.age
new file mode 100644
index 0000000000000000000000000000000000000000..241d347d5e79f2d86be411a09b8584834befd03f
GIT binary patch
literal 382
zcmZQ@_Y83kiVO&0sQB{9$M@oS+n?6#Pb)U$>PafT+`=OAT<vmTo^`V6(XAr8B$$>(
z{!RU^w9@s_r3;4|?Or{SQnM^5e#Mo#OSjV9XO*-c2h+7Bdqw`oL|heHsB?N!@Kx^v
z*B|A}XD^nTIn#KZv2<YHIrF{iUw^FP)2lw0^giXxyMzr^Jr+9|nKbq+SvpO_%9{Ht
z*F>*Oj!Vs)Ok%&U&Al}9iIx<<{1P8G2a6;}%R+rl*PXh{<0szU?!INwGj8@Yw#bE!
zkC$`hT2!{>`uzyDW&ay?GG@;T9c9_7%`Xm%Yuta~xOKUifkj|n*K5Xe;sQ4es@w0}
zW&Ur^FhjRs#iQR1N0N_xGw`ocnNtwf+mUdS$^2is_fw%qk54@kWZ2uK_$0t7Sm4p&
z_Nyj#7dA!*oV_K-WRcswb^(8vW#QzVPk#M(Uc2K{kdLjr@0+bj7p_fmRw;Uw(hz@D
r*~Wa*;z%}+1#OS>7<A8?ed)}}dv?A+&!r~2Q&OPT$<}|4u(t~U1AMTu

literal 0
HcmV?d00001