Merge branch 'colmena' into consensus

resolves #1

.envrc

@@ -1,4 +1,6 @@
 use flake
 watch_file flake.nix
 
+# Allow ragenix to find it's configuration
+export RULES=$(realpath ./secrets/secrets.nix)
 export NIXOPS_DEPLOYMENT=jfdic-ops

.gitignore

@@ -1,2 +1 @@
 .direnv
-secrets

README.rst

@@ -1,10 +1,10 @@
 JFDIC Ops
 =========
 
-NixOps_ deployment configuration for `JFDI Collective`_ services.
+Colmena_ deployment configuration for `JFDI Collective`_ services.
 
 The canonical home for this repo is
 https://source.jfdic.org/jfdic/jfdic-ops
 
-.. _NixOps: https://nixos.org/nixops
+.. _Colmena: https://colmena.cli.rs/
 .. _JFDI Collective: https://jfdic.org/

default.nix

@@ -0,0 +1,19 @@
+{
+  sources ? import ./nix/sources.nix,
+  system ? builtins.currentSystem,
+  crossSystem ? null,
+  config ? {},
+  alejandraUnstable ? (import sources.nixpkgsUnstable {}).alejandra,
+} @ args:
+with import ./nix args; {
+  shell = mkShell {
+    buildInputs = [
+      alejandraUnstable # The Uncompromising Nix Code Formatter
+      colmena
+      niv
+      treefmt # one CLI to format the code tree
+    ];
+    NIX_PATH = "nixpkgs=${sources.nixpkgs}";
+    NIXOPS_DEPLOYMENT = "${globals.deploymentName}";
+  };
+}

flake.lock

@@ -1,5 +1,103 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "nixpkgs": [
+          "ragenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1677126346,
+        "narHash": "sha256-4s+PPGC1M07QsPyeye5drc2JLa1lhDnCV3XAsG8+pH4=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "c2a71c83c70844c5e31db69347e86af080bcdad0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "colmena": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": "nixpkgs",
+        "stable": "stable",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1664434431,
+        "narHash": "sha256-F/Jl1GqSp08fw7PCHiv/ijn/pAP1YOStIhHws291s7A=",
+        "owner": "zhaofengli",
+        "repo": "colmena",
+        "rev": "7253d9b4bb1f0f031d926092cb5dae3b03f1e812",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "ref": "v0.3.2",
+        "repo": "colmena",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "ragenix",
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1676283394,
+        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "hakyll-skeleton": {
       "flake": false,
       "locked": {
@@ -53,7 +151,7 @@
     "nix": {
       "inputs": {
         "lowdown-src": "lowdown-src",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-regression": "nixpkgs-regression"
       },
       "locked": {
@@ -71,38 +169,18 @@
         "type": "github"
       }
     },
-    "nixops": {
-      "inputs": {
-        "nixpkgs": "nixpkgs_2",
-        "utils": "utils"
-      },
-      "locked": {
-        "lastModified": 1657388807,
-        "narHash": "sha256-MtTM5KUHIDqnY254chIOp00EmsbYsXR3mXrnbbY4wg0=",
-        "owner": "NixOS",
-        "repo": "nixops",
-        "rev": "dcafae5258773dc0fbdd31b425f1ad3fb59173fe",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "master",
-        "repo": "nixops",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1657693803,
+        "lastModified": 1653060744,
-        "narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=",
+        "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "365e1b3a859281cf11b94f87231adeabbdd878a2",
+        "rev": "dfd82985c273aac6eced03625f454b334daae2e8",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-22.05-small",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -141,16 +219,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1656753965,
+        "lastModified": 1657693803,
-        "narHash": "sha256-BCrB3l0qpJokOnIVc3g2lHiGhnjUi0MoXiw6t1o8H1E=",
+        "narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0ea7a8f1b939d74e5df8af9a8f7342097cdf69eb",
+        "rev": "365e1b3a859281cf11b94f87231adeabbdd878a2",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-22.05-small",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -171,6 +249,29 @@
         "type": "github"
       }
     },
+    "ragenix": {
+      "inputs": {
+        "agenix": "agenix",
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1677625082,
+        "narHash": "sha256-62xmRPfjZgDn8AgEhb6eRoJrTxGeM8HfhfF+PkJokok=",
+        "owner": "yaxitech",
+        "repo": "ragenix",
+        "rev": "6f2dacf3d6af36228a8fad3b136990a6b6dfe30b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "yaxitech",
+        "repo": "ragenix",
+        "type": "github"
+      }
+    },
     "resrok-web": {
       "flake": false,
       "locked": {
@@ -190,24 +291,66 @@
     },
     "root": {
       "inputs": {
+        "colmena": "colmena",
         "hakyll-skeleton": "hakyll-skeleton",
         "jfdic-web": "jfdic-web",
         "nix": "nix",
-        "nixops": "nixops",
         "nixpkgs": "nixpkgs_3",
         "nixpkgsUnstable": "nixpkgsUnstable",
+        "ragenix": "ragenix",
         "resrok-web": "resrok-web",
         "utils": "utils_2",
         "voc-web": "voc-web"
       }
     },
+    "rust-overlay": {
+      "inputs": {
+        "flake-utils": [
+          "ragenix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "ragenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1676687290,
+        "narHash": "sha256-DP0CJ7qtUXf+mmMglJL1yANizzV1O4UfQ9NrKgy7O04=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "bdccd5e973d45159f7d13f7c65a4271dc02cf6d4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "stable": {
+      "locked": {
+        "lastModified": 1653087707,
+        "narHash": "sha256-zfno3snrzZTWQ2B7K53QHrGZwrjnJLTRPalymrSsziU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "cbd40c72b2603ab54e7208f99f9b35fc158bc009",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-21.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "utils": {
       "locked": {
-        "lastModified": 1634851050,
+        "lastModified": 1649676176,
-        "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=",
+        "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c91f3de5adaf1de973b797ef7485e441a65b8935",
+        "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,6 +2,10 @@
   description = "jfdic-ops deployment";
 
   inputs = {
+    ragenix = {
+      url = "github:yaxitech/ragenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     hakyll-skeleton = {
       flake = false;
       url = git+https://source.jfdic.org/jfdic/hakyll-skeleton/?ref=consensus;
@@ -15,7 +19,6 @@
       url = git+https://source.jfdic.org/resrok/resrok-web/?ref=consensus;
     };
     nix.url = "github:NixOS/nix/?ref=2.10.3";
-    nixops.url = github:NixOS/nixops/?ref=master;
     nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-22.11;
     nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable;
     utils.url = "github:numtide/flake-utils";
@@ -23,6 +26,7 @@
       flake = false;
       url = git+https://source.jfdic.org/voc/voc-web/?ref=consensus;
     };
+    colmena.url = "github:zhaofengli/colmena/?ref=v0.3.2";
   };
 
   outputs = {...} @ args: import ./outputs.nix args;

hosts/toscano.nix

@@ -1,26 +0,0 @@
-# NixOps configuration for toscano
-#
-# https://en.wikipedia.org/wiki/Joseph_Toscano
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  imports = [
-    ../networks/linode.nix
-    ../profiles/forgejo.nix
-    ../profiles/hakyll-skeleton.nix
-    ../profiles/jfdic-web.nix
-    ../profiles/resrok-web.nix
-    ../profiles/tmateServer.nix
-    ../profiles/voc-web.nix
-    ../secrets/forgejo.nix
-  ];
-
-  deployment.targetHost = "45.79.236.198";
-
-  networking.hostName = "toscano";
-
-  system.stateVersion = "21.05"; # The version of NixOS originally installed
-}

nixos/configurations.nix

@@ -0,0 +1,33 @@
+{
+  self,
+  nixpkgs,
+  inputs,
+  nix,
+  ...
+}: let
+  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
+  customModules = import ../modules/modules-list.nix;
+  baseModules = [
+    # make flake inputs accessiable in NixOS
+    {_module.args.inputs = inputs;}
+    {
+      imports = [
+        ({pkgs, ...}: {
+          nix.nixPath = [
+            "nixpkgs=${pkgs.path}"
+          ];
+          nix.extraOptions = ''
+            experimental-features = nix-command flakes
+          '';
+          documentation.info.enable = false;
+        })
+      ];
+    }
+  ];
+  defaultModules = baseModules ++ customModules;
+  deployment = {
+    allowLocalDeployment = true;
+  };
+in {
+  #toscano = import ./hosts/toscano/configuration.nix;
+}

nixos/hosts/toscano/configuration.nix

@@ -0,0 +1,36 @@
+# NixOS configuration for toscano
+#
+# https://en.wikipedia.org/wiki/Joseph_Toscano
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ../../../networks/linode.nix
+    ../../../profiles/forgejo.nix
+    ../../../profiles/hakyll-skeleton.nix
+    ../../../profiles/jfdic-web.nix
+    ../../../profiles/resrok-web.nix
+    ../../../profiles/tmateServer.nix
+    ../../../profiles/voc-web.nix
+  ];
+
+  age.secrets = {
+    forgejo = {
+      file = ../../../secrets/forgejo.age;
+      owner = "gitea";
+      group = "gitea";
+    };
+  };
+
+  deployment = {
+    tags = ["infra"];
+    targetHost = "45.79.236.198";
+  };
+
+  networking.hostName = "toscano";
+
+  system.stateVersion = "21.05"; # The version of NixOS originally installed
+}

outputs.nix

@@ -2,8 +2,9 @@
   self,
   hakyll-skeleton,
   jfdic-web,
+  ragenix,
+  colmena,
   nix,
-  nixops,
   nixpkgs,
   nixpkgsUnstable,
   resrok-web,
@@ -12,32 +13,37 @@
   ...
 } @ inputs:
 (utils.lib.eachDefaultSystem (system: let
-  pkgs =
+  pkgs = nixpkgs.legacyPackages."${system}";
-    nixpkgs.legacyPackages."${system}";
 in {
   devShell =
     pkgs.callPackage
     ./shell.nix {
+      inherit (ragenix.packages."${pkgs.system}") ragenix;
+      inherit (colmena.packages."${pkgs.system}") colmena;
       inherit (nix.packages."${pkgs.system}") nix;
       inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
-      nixops = nixops.defaultPackage."${pkgs.system}";
     };
 }))
 // {
-  nixopsConfigurations.default = {
+  colmena = {
-    inherit nixpkgs;
+    meta = {
-    network = {
+      description = "jfdi collective's NixOS deployment";
-      description = "jfdic-ops nodes";
+      name = "jfdic-ops";
-      enableRollback = true;
+      nixpkgs = import nixpkgs {
-      storage.legacy = {
+        system = "x86_64-linux";
-        databasefile = "~/.nixops/deployments.nixops";
+        overlays = [];
       };
     };
-    defaults = {
+    toscano = {
-      system.autoUpgrade.enable = false; # Disabled as it conflicts with NixOps
+      imports = [
-      _module.args.inputs = inputs; # make flake inputs accessiable in NixOS
+        ./nixos/hosts/toscano/configuration.nix
-      imports = [./profiles/host_common.nix];
+        ragenix.nixosModules.default
+      ];
     };
-    toscano = import ./hosts/toscano.nix;
   };
+  # The below lines are in the wrong place
+  #nixosConfigurations = import ./nixos/configurations.nix (inputs
+  #  // {
+  #    inherit inputs;
+  #  });
 }

profiles/forgejo.nix

@@ -1,23 +1,26 @@
 # NixOps configuration for the hosts running Forgejo
 {
   config,
-  inputs,
   pkgs,
   lib,
   ...
-  }: {
+}: let
+  flake = builtins.getFlake (toString ../.);
+  nixpkgsUnstable = flake.inputs.nixpkgsUnstable;
+  forgejo = nixpkgsUnstable.legacyPackages."${pkgs.system}".forgejo;
+in {
   services.gitea = {
     enable = true; # Enable Forgejo
     appName = "JFDI Collective: Forgejo Service"; # Give the site a name
     database = {
       type = "postgres"; # Database type
-      passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
+      passwordFile = config.age.secrets.forgejo.path;
     };
     disableRegistration = true;
     domain = "source.jfdic.org"; # Domain name
     rootUrl = "https://source.jfdic.org/"; # Root web URL
     httpPort = 3002; # Provided unique port
-    package = inputs.nixpkgsUnstable.legacyPackages."${pkgs.system}".forgejo; # a soft fork of gitea
+    package = forgejo; # a soft fork of gitea
     settings = let
       docutils = pkgs.python37.withPackages (ps:
         with ps; [

profiles/hakyll-skeleton.nix

@@ -2,11 +2,11 @@
 {
   self,
   config,
-  inputs,
   pkgs,
   ...
 }: let
-  hakyll-skeleton = import inputs.hakyll-skeleton {};
+  flake = builtins.getFlake (toString ../.);
+  hakyll-skeleton = import flake.inputs.hakyll-skeleton {};
   webdomain = "skeleton.jfdic.org";
 in {
   environment.sessionVariables = {

profiles/jfdic-web.nix

@@ -2,11 +2,11 @@
 {
   self,
   config,
-  inputs,
   pkgs,
   ...
 }: let
-  jfdic-web = import inputs.jfdic-web {};
+  flake = builtins.getFlake (toString ../.);
+  jfdic-web = import flake.inputs.jfdic-web {};
   webdomain = "jfdic.org";
 in {
   environment.sessionVariables = {

profiles/resrok-web.nix

@@ -2,11 +2,11 @@
 {
   self,
   config,
-  inputs,
   pkgs,
   ...
 }: let
-  resrok-web = import inputs.resrok-web {};
+  flake = builtins.getFlake (toString ../.);
+  resrok-web = import flake.inputs.resrok-web {};
   webdomain = "resrok.org";
 in {
   environment.sessionVariables = {

profiles/server_common.nix

@@ -7,8 +7,7 @@
 }: {
   imports = [
     ../profiles/openssh.nix
-    ../secrets/user-fiscalvelvetpoet.nix
+    ../profiles/users.nix
-    ../secrets/user-root.nix
   ];
 
   programs.mosh = {

profiles/users.nix

@@ -0,0 +1,37 @@
+# Configuration common to all JFDIC servers
+{
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets = {
+    root.file = ../secrets/root.age;
+    fiscalvelvetpoet.file = ../secrets/fiscalvelvetpoet.age;
+  };
+
+  # JFDIC Ops groups:
+  users.groups.fiscalvelvetpoet.gid = 1000;
+
+  # JFDIC Ops Users
+  users.users.fiscalvelvetpoet = {
+    isNormalUser = true;
+    uid = 1000;
+    group = "fiscalvelvetpoet";
+    extraGroups = ["wheel"];
+    # fix this
+    passwordFile = config.age.secrets.fiscalvelvetpoet.path;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
+    ];
+  };
+
+  users.users.root = {
+    # fix this
+    passwordFile = config.age.secrets.root.path;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
+    ];
+  };
+}

profiles/voc-web.nix

@@ -2,11 +2,11 @@
 {
   self,
   config,
-  inputs,
   pkgs,
   ...
 }: let
-  voc-web = import inputs.voc-web {};
+  flake = builtins.getFlake (toString ../.);
+  voc-web = import flake.inputs.voc-web {};
   webdomain = "voicesofcapricornia.org";
 in {
   environment.sessionVariables = {

secrets/fiscalvelvetpoet.age

@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBabmpl
+K3V2ZWV4c2pXcmtHYlhPaWVTd0Z2UnUrRTU0UHJxSlNGVGxrMEFZCjdsNW1IQTZY
+VWR5MG9YbjlHVGk1OEFEbGthNXVsbkpHbnlyN0lOU3dxOWsKLT4gc3NoLWVkMjU1
+MTkgZjVUaEFnIDIwdjFwUmc5dEhGdTd3WFdLMlJzN2NqQ1R1YWV2RXBwbTE5OU0x
+Y3hHMDAKcFhOYjdDcncwTnplamd3UTlaWVFiMXBHTlpuNFVSa01iaER4amlhdHdR
+MAotPiBRLWdyZWFzZSBjCkRMREtPUVdTeER4WWhjcjJOWSsvUkxtK2JTUnRhblB4
+KzFxMW5BVGp5U2hmdGtOZ1FDbFkrdUpNR1JuKzRLTWUKVTZCZk5nRTRUcnUzWURp
+MVplUGhTQjBrQU1UNwotLS0gSm52ejc3TXRBdlYrS0pRamQzeHo4N0pvcktHMDEv
+RzdXakJMVlZrYzNtMAp8HicX1xAaiwdoitp+OGbp3imWarnmMynCZxHsdPGmDIYG
+CEYqJ9JJVXAtzUL7kIE7uQOSZvgp4MvWahk5a0ITQkJDLbXef1mxhavGI6SYkhKP
+4fYc4GN7xAcxTRvb/oBP67lhc8Pt1W+h6BLphYMYbMM7XT/zHAVCUBrCCKTW2Swc
+NgJYUgwf7rI+hg/AKeXDXWYyidcYMrvb+L7jiIwZ6Q==
+-----END AGE ENCRYPTED FILE-----

secrets/forgejo.age

@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBzblFC
+eUZrZEw3R24weVJ2TUw3QWZ6WDNYS1NDZVpGTktnakk4M2FnVEhFCjUxK1BucVBu
+Vm52cXhyK1RyRFdTd2w1WU9NWDUranZTRkhzOHIwbXVHTlkKLT4gc3NoLWVkMjU1
+MTkgZjVUaEFnIERNWExUWk95Wk1udHYxWm1vKzAwR29kUC9JeUJoMVI3MUx3UmFG
+aDFCakkKSitsbEtsVzQ5eDAzZ0VUOXIrUkNsSkFFRXJGbEUyVTZNKzcwcTBhWnYy
+RQotPiBsbS1ncmVhc2UgLTwpJyAxTmtRMgp5OVpBSDh2azhrYjI1cmNjVmdKdlh0
+d2ZJZwotLS0gSGRZZ2k2ZDhqc3E1clBkOVZ4K3FjZUtGUG1XZ1ozVDRpZkd3ZkhG
+d3ZuYwocfVjJedKaGHSUGZE2tTu5W47y68PW51+NdYxQOT65fyZD9/Vxi+7HiFqM
+0xrmCMh3IsOvPa60vuY=
+-----END AGE ENCRYPTED FILE-----

secrets/root.age

@@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBoaDBJ
+M2E4THRwVmtpWTMwMGpKZ2owdC9aci9zMVZGSzdRYk1Xb2VoUmxzCjVveDgzUUc5
+SG1OUEVPb0pFTm5VdG93a2lBbVF3OXh1eGNsL1dZWGY1T3MKLT4gc3NoLWVkMjU1
+MTkgZjVUaEFnIDhFWHNoaFFkeVJ3NXBKc3oxVXdzeWtEc1NqSjAvRDZMWG9XSFVR
+UnVzMlEKMEJVOU45OUhVd0FEWTIrLzV2WnN6VmVJWjRHM0xRUk5YdFdNS0J1YVBD
+NAotPiB4WyMtZ3JlYXNlIFBBaTM8IDsgSDIgTChDaFRtcUcKSUlkVHFnRDA5cWIy
+Mjk4THJPREpRTW5FZ2RVR3lhTWFTOXhPaHdldVRBYWd2WE1Pc0IzbFZFQ0Q2RTAz
+Q2MySgpYUUNDNE9GM2JrUVpWbE1kenFLVGtDaFFGZjFvTFhYbWY0ZlI0MTlLVXFW
+d2d5dUdtL2hoSXcKLS0tIHZZMWk2amdIZHpCVzNtSUFvTyt0V3IyVm9NWWVyc3lG
+WDZpYmNtUkkzTDAKUHVWJeK+gcL0T5tHLBFQQP0EKHtO3Y2MFfNti/dtUhMoOnl0
+cKi+siTFVAR6hasO8eM+NYgDg0mCt5ThQfAQyr0c2VoPyNu1ITJKwZZndk52y6nv
+g95L4myoHPlJOKEb2pzSyDYKQZw4kUB4JKC5i7zy7a0TsMzVXUjZRDuOvWxcvXw8
+QbjtYbRJUZ+pFN445/awGVcZyMIE6KhrazU+WSU=
+-----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -0,0 +1,14 @@
+# Used by ragenix nix only.
+# Ensure that $RULES has been set via direnv
+let
+  fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so";
+  ops = [fiscalvelvetpoet];
+  users = [fiscalvelvetpoet];
+
+  toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE";
+  systems = [toscano];
+in {
+  "root.age".publicKeys = ops ++ systems;
+  "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;
+  "forgejo.age".publicKeys = [fiscalvelvetpoet toscano];
+}

shell.nix

@@ -1,16 +1,18 @@
 {
   pkgs ? import <nixpkgs> {},
+  ragenix,
   alejandra,
   mkShell,
-  nixops,
+  colmena,
   nix,
 }:
 with pkgs;
   mkShell {
     buildInputs = [
+      ragenix # CLI management of secrets encrypted via existing SSH keys
       alejandra # The Uncompromising Nix Code Formatter
-      nixops
+      colmena # simple, stateless NixOS deployment tool
-      nix
+      nix # Powerful package manager, makes packaging reliable & reproducible
       tea # Gitea official CLI client
       treefmt # one CLI to format the code tree
     ];