From 96a0162b4e59366a413a9f226dcba2bad9e222dd Mon Sep 17 00:00:00 2001 From: primary Date: Sat, 18 Apr 2026 01:19:17 -0400 Subject: [PATCH] age-secrets: add git-crypt-key-nixos (pre-unify cutover) Additive. The new unified nixos repo (projects/nixos/) uses a fresh git-crypt key so we can retire the two per-repo keys later. Deploying this change alone makes /run/agenix/git-crypt-key-nixos available on muffin; the nixos CI's git-crypt unlock step can then succeed once the new repo lands on Gitea. --- modules/age-secrets.nix | 9 +++++++++ secrets/git-crypt-key-nixos.age | Bin 0 -> 382 bytes 2 files changed, 9 insertions(+) create mode 100644 secrets/git-crypt-key-nixos.age diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix index b38ba82..4f65d20 100644 --- a/modules/age-secrets.nix +++ b/modules/age-secrets.nix @@ -168,6 +168,15 @@ group = "gitea-runner"; }; + # Git-crypt symmetric key for the new unified nixos repo (Phase 5 of the unify migration). + # Added additively here so muffin can decrypt nixos's secrets once Phase 6 cuts CI over. + git-crypt-key-nixos = { + file = ../secrets/git-crypt-key-nixos.age; + mode = "0400"; + owner = "gitea-runner"; + group = "gitea-runner"; + }; + # Gitea Actions runner registration token gitea-runner-token = { file = ../secrets/gitea-runner-token.age; diff --git a/secrets/git-crypt-key-nixos.age b/secrets/git-crypt-key-nixos.age new file mode 100644 index 0000000000000000000000000000000000000000..4dee922fd08a4f989003cd953aa8bd040d9610dc GIT binary patch literal 382 zcmZQ@_Y83kiVO&0_%|i~l>3on6D_f`F9NS!bZp~xOLSBI( zY33J6=fy8{K58WGH2(Mh+6A6;rT!G_`I|deSU+{%==+rG$D2o`5~dN67n%MXOm5K) ze)_BMm1bb%;W-AMK4k1R)xMVg+_bqcKR>v1su4rb*WNqRCmUT=xoNZS)ZW{w3625> zde*6MK2yJa`q0js6TT?Ae){T}@PGR&XPY3g*BVzJEd2QTYQ6i;RkO=ahhNA%2#QOdj7-e zbWb1Kv;QZvyF;$&-4dC|K9N1MVYTeD8!4&P{yWsBGaWlQOZY?SiWP0Q_t