age-secrets: add git-crypt-key-nixos (pre-unify cutover)

Additive. The new unified nixos repo (projects/nixos/) uses a fresh git-crypt
key so we can retire the two per-repo keys later. Deploying this change alone
makes /run/agenix/git-crypt-key-nixos available on muffin; the nixos CI's
git-crypt unlock step can then succeed once the new repo lands on Gitea.

modules/age-secrets.nix

@@ -168,6 +168,15 @@
       group = "gitea-runner";
     };
 
+    # Git-crypt symmetric key for the new unified nixos repo (Phase 5 of the unify migration).
+    # Added additively here so muffin can decrypt nixos's secrets once Phase 6 cuts CI over.
+    git-crypt-key-nixos = {
+      file = ../secrets/git-crypt-key-nixos.age;
+      mode = "0400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
+
     # Gitea Actions runner registration token
     gitea-runner-token = {
       file = ../secrets/gitea-runner-token.age;