diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 40b5fb8..4e15855 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -13,6 +13,10 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Unlock git-crypt
+        run: |
+          git-crypt unlock /run/agenix/git-crypt-key-server-config
+
       - name: Build NixOS configuration
         run: |
           nix build .#nixosConfigurations.muffin.config.system.build.toplevel -L
diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index 6e527bf..f820ea1 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -144,6 +144,14 @@
       group = "gitea-runner";
     };
 
+    # Git-crypt symmetric key for server-config repo
+    git-crypt-key-server-config = {
+      file = ../secrets/git-crypt-key-server-config.age;
+      mode = "0400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
+
     # Gitea Actions runner registration token
     gitea-runner-token = {
       file = ../secrets/gitea-runner-token.age;
diff --git a/secrets/git-crypt-key-server-config.age b/secrets/git-crypt-key-server-config.age
new file mode 100644
index 0000000..19931fe
Binary files /dev/null and b/secrets/git-crypt-key-server-config.age differ