archive: repo moved to titaniumtown/nixos

age-secrets: add git-crypt-key-nixos (pre-unify cutover)
Additive. The new unified nixos repo (projects/nixos/) uses a fresh git-crypt key so we can retire the two per-repo keys later. Deploying this change alone makes /run/agenix/git-crypt-key-nixos available on muffin; the nixos CI's git-crypt unlock step can then succeed once the new repo lands on Gitea.
2026-04-18 01:42:47 -04:00 · 2026-04-18 01:19:17 -04:00 · 2026-04-17 22:08:29 -04:00
4 changed files with 38 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,15 @@
+# server-config (archived)
+
+This repository has been unified with its sibling `dotfiles` into
+[**titaniumtown/nixos**](https://git.sigkill.computer/titaniumtown/nixos).
+
+The final pre-unification commit is tagged `final-before-unify`.
+
+See the new repo's `README.md` and `AGENTS.md` for:
+
+- current flake layout (hosts: mreow, yarn, muffin)
+- deploy workflow
+- git-crypt / agenix setup
+
+Do **not** push new commits here — CI has been disabled, and muffin's harmonia
+binary-cache no longer serves paths from `/var/lib/dotfiles-deploy/`.
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -168,6 +168,15 @@
      group = "gitea-runner";
    };

+    # Git-crypt symmetric key for the new unified nixos repo (Phase 5 of the unify migration).
+    # Added additively here so muffin can decrypt nixos's secrets once Phase 6 cuts CI over.
+    git-crypt-key-nixos = {
+      file = ../secrets/git-crypt-key-nixos.age;
+      mode = "0400";
+      owner = "gitea-runner";
+      group = "gitea-runner";
+    };
+
    # Gitea Actions runner registration token
    gitea-runner-token = {
      file = ../secrets/gitea-runner-token.age;
--- a/secrets/git-crypt-key-nixos.age
+++ b/secrets/git-crypt-key-nixos.age
--- a/services/jellyfin/jellyfin-qbittorrent-monitor.nix
+++ b/services/jellyfin/jellyfin-qbittorrent-monitor.nix
@@ -13,7 +13,13 @@ in
 lib.mkIf config.services.jellyfin.enable {
  # Materialise the Jellyfin Webhook plugin into Jellyfin's plugins dir before
  # Jellyfin starts. Jellyfin rewrites meta.json at runtime, so a read-only
-  # nix-store symlink would EACCES — we copy instead.
+  # nix-store symlink would EACCES -- we copy instead.
+  #
+  # `wantedBy = [ "jellyfin.service" ]` alone is insufficient on initial rollout:
+  # if jellyfin is already running at activation time, systemd won't start the
+  # oneshot until the next jellyfin restart. `restartTriggers` on jellyfin pinned
+  # to the plugin package + install script forces that restart whenever either
+  # changes, which invokes this unit via the `before`/`wantedBy` chain.
  systemd.services.jellyfin-webhook-install = {
    before = [ "jellyfin.service" ];
    wantedBy = [ "jellyfin.service" ];
@@ -28,6 +34,13 @@ lib.mkIf config.services.jellyfin.enable {
    };
  };

+  systemd.services.jellyfin.restartTriggers = [
+    webhookPlugin.package
+    (webhookPlugin.mkInstallScript {
+      pluginsDir = "${config.services.jellyfin.dataDir}/plugins";
+    })
+  ];
+
  # After Jellyfin starts, POST the plugin configuration so the webhook
  # targets the monitor's receiver. Idempotent; runs on every boot.
  systemd.services.jellyfin-webhook-configure = {