trajto(reciproka-web): konverti al floko

resolves #13

.envrc

@@ -1,4 +1,5 @@
 use flake
 watch_file flake.nix
 
-export NIXOPS_DEPLOYMENT=jfdic-ops
+# Allow ragenix to find it's configuration
+export RULES=$(realpath ./secrets/secrets.nix)

.gitignore

@@ -1,2 +1 @@
 .direnv
-secrets

LICENSE

@@ -1,7 +1,7 @@
                              ANARCHIST LICENSE
                          Version 1.0, 1 May, 2021
 
-Copyright © 2021 JFDI Collective
+Copyright © 2024 Reciproka Kolektivo
 
 This is Anarchist software, released for free use by individuals and
 organizations that do not operate by capitalist principles.

README.rst

@@ -1,10 +1,21 @@
-JFDIC Ops
-=========
+Reciproka Kolektivo Ops
+=======================
 
-NixOps_ deployment configuration for `JFDI Collective`_ services.
+Colmena_ deployment configuration for services hosted by `Reciproka Kolektivo`_ services.
 
 The canonical home for this repo is
-https://source.jfdic.org/jfdic/jfdic-ops
+https://reciproka.dev/reciproka/reciproka-ops
 
-.. _NixOps: https://nixos.org/nixops
-.. _JFDI Collective: https://jfdic.org/
+.. _Colmena: https://colmena.cli.rs/
+.. _Reciproka Kolektivo: https://reciproka.co/
+
+.. toctree::
+
+Building for aarch64 Targets
+----------------------------
+
+If you don't have your own ``aarch64`` build server, you can apply to use the
+`aarch64 build box`_ provided by the `Nix Community`_.
+
+.. _aarch64 build box: https://github.com/NixOS/aarch64-build-box
+.. _Nix Community: https://github.com/nix-community

default.nix

@@ -0,0 +1,18 @@
+{
+  sources ? import ./nix/sources.nix,
+  system ? builtins.currentSystem,
+  crossSystem ? null,
+  config ? {},
+  alejandraUnstable ? (import sources.nixpkgsUnstable {}).alejandra,
+} @ args:
+with import ./nix args; {
+  shell = mkShell {
+    buildInputs = [
+      alejandraUnstable # The Uncompromising Nix Code Formatter
+      colmena
+      niv
+      treefmt # one CLI to format the code tree
+    ];
+    NIX_PATH = "nixpkgs=${sources.nixpkgs}";
+  };
+}

flake.nix

@@ -1,27 +1,28 @@
 {
-  description = "jfdic-ops deployment";
+  description = "reciproka-ops deployment";
 
   inputs = {
+    colmena.url = "github:zhaofengli/colmena/?ref=v0.4.0";
+    ragenix = {
+      url = "github:yaxitech/ragenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     hakyll-skeleton = {
-      flake = false;
-      url = git+https://source.jfdic.org/jfdic/hakyll-skeleton/?ref=consensus;
-    };
-    jfdic-web = {
-      flake = false;
-      url = git+https://source.jfdic.org/JFDIC/jfdic-web/?ref=consensus;
+      url = "git+https://reciproka.dev/reciproka/hakyll-skeleton/?ref=consensus";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
+    reciproka-web.url = "git+https://reciproka.dev/reciproka/reciproka-web/?ref=consensus";
     resrok-web = {
       flake = false;
-      url = git+https://source.jfdic.org/resrok/resrok-web/?ref=consensus;
+      url = git+https://reciproka.dev/resrok/resrok-web/?ref=consensus;
     };
-    nix.url = "github:NixOS/nix/?ref=2.10.3";
-    nixops.url = github:NixOS/nixops/?ref=master;
-    nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-22.05;
+    nix.url = github:NixOS/nix/?ref=2.24.6;
+    nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-24.05;
     nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable;
     utils.url = "github:numtide/flake-utils";
     voc-web = {
       flake = false;
-      url = git+https://source.jfdic.org/voc/voc-web/?ref=consensus;
+      url = git+https://reciproka.dev/voc/voc-web/?ref=consensus;
     };
   };
 

hardware/binaryLane_vm.nix

@@ -0,0 +1,51 @@
+# Configuration common to all Reciproka Kolektivo Binary Lane VMs
+{
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix") # Import the NixOS Qemu guest settings
+    ../profiles/host_common.nix
+    ../profiles/server_common.nix
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["ata_piix" "sr_mod" "uhci_hcd" "virtio_blk" "virtio_pci"];
+    };
+    loader = {
+      grub = {
+        enable = true;
+        device = "/dev/vda";
+      };
+    };
+  };
+
+  # File systems configuration for the Linode VMs
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-label/swap";
+    }
+  ];
+
+  nix.settings.max-jobs = lib.mkDefault 4;
+
+  networking = {
+    domain = "reciproka.co";
+    useDHCP = lib.mkDefault true;
+    firewall = {
+      enable = true;
+      trustedInterfaces = ["lo"];
+    };
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hardware/linode_vm.nix

@@ -1,13 +1,14 @@
-# Configuration common to all JFDIC Linode VMs
+# Configuration common to all Reciproka Kolektivo Linode VMs
 {
   config,
   pkgs,
   lib,
+  modulesPath,
   ...
 }: {
   imports = [
     # Import the NixOS Qemu guest settings
-    <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+    (modulesPath + "/profiles/qemu-guest.nix")
   ];
 
   boot.initrd.availableKernelModules = ["virtio_pci" "ahci" "sd_mod"];
@@ -39,5 +40,5 @@
     }
   ];
 
-  nix.maxJobs = lib.mkDefault 4;
+  nix.settings.max-jobs = lib.mkDefault 4;
 }

hardware/pi3B.nix

@@ -0,0 +1,80 @@
+# Configuration common to all Raspberry Pi 3 Model B devices
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "bcm2835_dma" # Allows early (earlier) mode setting
+        "i2c_bcm2835" # Allows early (earlier) mode setting
+        "usbhid"
+        "usb_storage"
+        "vc4" # Allows early (earlier) mode setting
+      ];
+    };
+    kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
+    kernelParams = [
+      "cma=32M" # Needed for the virtual console to work on the RPi 3
+      "console=ttyS0,115200n8" # Enable the serial console
+      "console=tty0"
+    ];
+    loader = {
+      generic-extlinux-compatible = {
+        enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
+      };
+      grub = {
+        enable = false; # NixOS wants to enable GRUB by default.
+      };
+      raspberryPi = {
+        enable = false;
+        version = 3;
+        uboot.enable = true;
+        firmwareConfig = ''
+          arm_64bit=1            # Force kernel loading system to assume a 64-bit kernel
+          hdmi_force_hotplug=1   # Enable headless booting
+        '';
+      };
+    };
+  };
+
+  # File systems configuration for using the installer's partition layout
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
+    "/boot/firmware" = {
+      device = "/dev/disk/by-label/FIRMWARE";
+      fsType = "vfat";
+      # Alternatively, this could be removed from the configuration.
+      # The filesystem is not needed at runtime, it could be treated
+      # as an opaque blob instead of a discrete FAT32 filesystem.
+      options = ["nofail" "noauto"];
+    };
+  };
+
+  # !!! Adding a swap file is optional, but strongly recommended!
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 1024;
+    }
+  ];
+
+  hardware = {
+    enableRedistributableFirmware = true; # Enable support for Pi firmware blobs
+  };
+
+  networking = {
+    enableB43Firmware = true; # If true, enable Pi wireless firmware
+  };
+
+  nixpkgs.config.allowUnfree = true; # required by B34Firmare above
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi # Userland tools for the Raspberry Pi board
+  ];
+}

hardware/raspberry_pi_3_model_B.nix

@@ -0,0 +1,86 @@
+# Configuration common to all Raspberry Pi 3 Model B devices
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "bcm2835_dma" # Allows early (earlier) mode setting
+        "i2c_bcm2835" # Allows early (earlier) mode setting
+        "usbhid"
+        "usb_storage"
+        "vc4" # Allows early (earlier) mode setting
+      ];
+    };
+    kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
+    kernelParams = [
+      "cma=320M" # Needed for the virtual console to work on the RPi 3
+      "console=ttyS0,115200n8" # Enable the serial console
+      "console=tty0"
+    ];
+    loader = {
+      generic-extlinux-compatible = {
+        enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
+        configurationLimit = 5;
+      };
+      grub = {
+        enable = false; # NixOS wants to enable GRUB by default.
+      };
+      raspberryPi = {
+        enable = false;
+        version = 3;
+        firmwareConfig = ''
+          arm_64bit=1            # Force kernel loading system to assume a 64-bit kernel
+          display_auto_detect=1  # Enable auto detection of screen resolution
+          gpu_mem=128
+          hdmi_force_hotplug=1   # Enable headless booting
+        '';
+      };
+    };
+  };
+
+  # File systems configuration for using the installer's partition layout
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
+    "/boot/firmware" = {
+      device = "/dev/disk/by-label/FIRMWARE";
+      fsType = "vfat";
+      # Alternatively, this could be removed from the configuration.
+      # The filesystem is not needed at runtime, it could be treated
+      # as an opaque blob instead of a discrete FAT32 filesystem.
+      options = ["nofail" "noauto"];
+    };
+    #"/var" = {
+    #  device = "/dev/disk/by-label/var";
+    #  fsType = "ext4";
+    #};
+  };
+
+  # !!! Adding a swap file is optional, but strongly recommended!
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 1024;
+    }
+  ];
+
+  hardware = {
+    enableRedistributableFirmware = true; # Enable support for Pi firmware blobs
+  };
+
+  networking = {
+    enableB43Firmware = true; # If true, enable Pi wireless firmware
+  };
+
+  nixpkgs.config.allowUnfree = true; # required by B34Firmare above
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi # Userland tools for the Raspberry Pi board
+  ];
+}

hosts/toscano.nix

@@ -1,26 +0,0 @@
-# NixOps configuration for toscano
-#
-# https://en.wikipedia.org/wiki/Joseph_Toscano
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  imports = [
-    ../networks/linode.nix
-    ../profiles/gitea.nix
-    ../profiles/hakyll-skeleton.nix
-    ../profiles/jfdic-web.nix
-    ../profiles/resrok-web.nix
-    ../profiles/tmateServer.nix
-    ../profiles/voc-web.nix
-    ../secrets/gitea.nix
-  ];
-
-  deployment.targetHost = "45.79.236.198";
-
-  networking.hostName = "toscano";
-
-  system.stateVersion = "21.05"; # The version of NixOS originally installed
-}

modules/piCommon/default.nix

@@ -0,0 +1,14 @@
+# Configuration common to all my servers
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  environment = {
+    # Set the system-wide environment
+    systemPackages = with pkgs; [
+      usbutils # Tools for working with USB devices, such as lsusb
+    ];
+  };
+}

networks/linode-common.nix

@@ -1,4 +1,4 @@
-# NixOps configuration common to Linode VMs
+# NixOS configuration common to Linode VMs
 {
   config,
   pkgs,
@@ -26,7 +26,7 @@
   # Configure firewall defaults:
   networking = {
     usePredictableInterfaceNames = false; # As per Linode's networking guidlines
-    domain = "jfdic.org";
+    domain = "reciproka.co";
     interfaces.eth0.useDHCP = true;
     firewall = {
       enable = true;

networks/linode.nix

@@ -1,4 +1,4 @@
-# NixOps configuration for the Linode VMs
+# Nix configuration for the Linode VMs
 {
   config,
   pkgs,

networks/pi3B_rack.nix

@@ -0,0 +1,26 @@
+# NixOps configuration for the Raspberry Pi 3B Rack
+{
+  imports = [
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ../hardware/raspberry_pi_3_model_B.nix
+    ../profiles/host_common.nix
+    ../profiles/server_common.nix
+  ];
+
+  # Ensure the right package architecture is used
+  nixpkgs.localSystem = {
+    system = "aarch64-linux";
+    config = "aarch64-unknown-linux-gnu";
+    allowUnfree = true;
+  };
+
+  systemd.network.networks.eth0.ipv6SendRAConfig = {
+    EmitDNS = true;
+    Managed = true;
+    OtherInformation = true;
+  };
+
+  documentation = {
+    nixos.enable = false; # Save some space by disabling the manual
+  };
+}

nixos/configurations.nix

@@ -0,0 +1,32 @@
+{
+  self,
+  nixpkgs,
+  inputs,
+  ...
+}: let
+  nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
+  customModules = import ../modules/modules-list.nix;
+  baseModules = [
+    # make flake inputs accessiable in NixOS
+    {_module.args.inputs = inputs;}
+    {
+      imports = [
+        ({pkgs, ...}: {
+          nix.nixPath = [
+            "nixpkgs=${pkgs.path}"
+          ];
+          nix.extraOptions = ''
+            experimental-features = nix-command flakes
+          '';
+          documentation.info.enable = false;
+        })
+      ];
+    }
+  ];
+  defaultModules = baseModules ++ customModules;
+  deployment = {
+    allowLocalDeployment = true;
+  };
+in {
+  #toscano = import ./hosts/toscano/configuration.nix;
+}

nixos/hosts/flemming/default.nix

@@ -0,0 +1,26 @@
+# NixOS configuration for flemming
+#
+# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist
+# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its
+# grave diggers in Australia
+#
+# https://en.wikipedia.org/wiki/Andy_Fleming_(activist)
+# https://slackbastard.anarchobase.com/
+# https://www.3cr.org.au/yeahnahpasaran
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ../../../networks/pi3B_rack.nix
+    ../../../profiles/hakyll-skeleton.nix
+  ];
+
+  # Comment out deployment when building the SD Image.
+  deployment.targetHost = "10.42.0.202";
+  networking.hostName = "flemming"; # Define your hostname.
+
+  system.stateVersion = "23.11"; # The version of NixOS originally installed
+}

nixos/hosts/hollows/default.nix

@@ -0,0 +1,25 @@
+# NixOS configuration for flemming
+#
+# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist
+# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its
+# grave diggers in Australia
+#
+# https://en.wikipedia.org/wiki/Andy_Fleming_(activist)
+# https://slackbastard.anarchobase.com/
+# https://www.3cr.org.au/yeahnahpasaran
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ../../../networks/pi3B_rack.nix
+  ];
+
+  # Comment out deployment when building the SD Image.
+  deployment.targetHost = "10.42.0.203";
+  networking.hostName = "hollows"; # Define your hostname.
+
+  system.stateVersion = "22.05"; # The version of NixOS originally installed
+}

nixos/hosts/pred/default.nix

@@ -0,0 +1,33 @@
+# NixOS configuration for pred
+#
+# <predator>, AKA Michael Carlton or just "pred", was an Australian
+# anarcho-sydnicalist who helped set up Catalyst, a radical community activist
+# tech collective in Sydney, Australia. They went on to provide information
+# technology services for a wide range of activist and commmunity based
+# organisations around both Sydney and Australia. In the process, knowledge was
+# shared, skills were learned and taught - from building and maintaining
+# hardware to writing computer code. It was from this original initiative that
+# an open-posting model of web publishing was developed for the J18 protest
+# that occured worldwide in 1999. The codebase was named 'Active' and went on
+# to power the first Indymedia site. As they say, "the rest is history."
+#
+# Rest in Power, Pred, we miss ya.
+#
+# https://archive.org/stream/PredTxt/Pred-txt_djvu.txt
+# https://indymedia.org.au/2012/04/25/interview-with-pred-predaor-mike-carlton.html
+# https://www.youtube.com/watch?v=Cfe3ExZivdQ
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../../../hardware/binaryLane_vm.nix
+  ];
+
+  # Comment out deployment when building the SD Image.
+  deployment.targetHost = "203.57.51.158";
+  networking.hostName = "pred"; # Define your hostname.
+
+  system.stateVersion = "23.11"; # The version of NixOS originally installed
+}

nixos/hosts/toscano/configuration.nix

@@ -0,0 +1,39 @@
+# Nix configuration for toscano
+#
+# Dr Joseph Toscano has presented an anarchist analysis on local, national and
+# international news and events that has been distributed nationally on the
+# Community Radio Network since 1977.
+#
+# https://en.wikipedia.org/wiki/Joseph_Toscano
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ../../../networks/linode.nix
+    ../../../profiles/reciproka-web.nix
+    ../../../profiles/reciproka-forgejo.nix
+    ../../../profiles/resrok-web.nix
+    ../../../profiles/tmateServer.nix
+    ../../../profiles/voc-web.nix
+  ];
+
+  age.secrets = {
+    forgejo = {
+      file = ../../../secrets/forgejo.age;
+      owner = "forgejo";
+      group = "forgejo";
+    };
+  };
+
+  deployment = {
+    tags = ["infra"];
+    targetHost = "45.79.236.198";
+  };
+
+  networking.hostName = "toscano";
+
+  system.stateVersion = "21.05"; # The version of NixOS originally installed
+}

outputs.nix

@@ -1,9 +1,10 @@
 {
   self,
   hakyll-skeleton,
-  jfdic-web,
+  reciproka-web,
+  ragenix,
+  colmena,
   nix,
-  nixops,
   nixpkgs,
   nixpkgsUnstable,
   resrok-web,
@@ -12,32 +13,56 @@
   ...
 } @ inputs:
 (utils.lib.eachDefaultSystem (system: let
-  pkgs =
-    nixpkgs.legacyPackages."${system}";
+  pkgs = nixpkgs.legacyPackages."${system}";
 in {
   devShell =
     pkgs.callPackage
     ./shell.nix {
       inherit (nix.packages."${pkgs.system}") nix;
+      inherit (ragenix.packages."${pkgs.system}") ragenix;
+      inherit (colmena.packages."${pkgs.system}") colmena;
       inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
-      nixops = nixops.defaultPackage."${pkgs.system}";
     };
 }))
 // {
-  nixopsConfigurations.default = {
-    inherit nixpkgs;
-    network = {
-      description = "jfdic-ops nodes";
-      enableRollback = true;
-      storage.legacy = {
-        databasefile = "~/.nixops/deployments.nixops";
+  colmena = {
+    meta = {
+      description = "NixOS deployment for Reciproka Kolektivo";
+      name = "reciproka-ops";
+      nixpkgs = import nixpkgs {
+        system = "x86_64-linux";
+        overlays = [];
       };
     };
-    defaults = {
-      system.autoUpgrade.enable = false; # Disabled as it conflicts with NixOps
-      _module.args.inputs = inputs; # make flake inputs accessiable in NixOS
-      imports = [./profiles/host_common.nix];
+    defaults = {pkgs, ...}: {
+      imports = [
+        ragenix.nixosModules.default
+      ];
+    };
+    flemming = {
+      imports = [
+        ./nixos/hosts/flemming
+      ];
+    };
+    hollows = {
+      imports = [
+        ./nixos/hosts/hollows
+      ];
+    };
+    pred = {
+      imports = [
+        ./nixos/hosts/pred
+      ];
+    };
+    toscano = {
+      imports = [
+        ./nixos/hosts/toscano/configuration.nix
+      ];
     };
-    toscano = import ./hosts/toscano.nix;
   };
+  # The below lines are in the wrong place
+  #nixosConfigurations = import ./nixos/configurations.nix (inputs
+  #  // {
+  #    inherit inputs;
+  #  });
 }

profiles/bash.nix

@@ -1,4 +1,4 @@
-# Configuration common to all JFDIC servers
+# Configuration common to all Reciproka Kolektivo servers
 {config, ...}: {
   # Program defaults for all hosts
   programs.bash = {

profiles/chrony.nix

@@ -1,4 +1,4 @@
-# NixOps configuration for the hosts running a Chrony service
+# Nix configuration for the hosts running a Chrony service
 {config, ...}: {
   services.chrony = {
     enable = true; # Enable Chrony

profiles/gitea.nix

@@ -1,103 +0,0 @@
-# NixOps configuration for the hosts running Gitea
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  services.gitea = {
-    enable = true; # Enable Gitea
-    appName = "JFDI Collective: Gitea Service"; # Give the site a name
-    database = {
-      type = "postgres"; # Database type
-      passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
-    };
-    disableRegistration = true;
-    domain = "source.jfdic.org"; # Domain name
-    rootUrl = "https://source.jfdic.org/"; # Root web URL
-    httpPort = 3002; # Provided unique port
-    settings = let
-      docutils = pkgs.python37.withPackages (ps:
-        with ps; [
-          docutils # Provides rendering of ReStructured Text files
-          pygments # Provides syntax highlighting
-        ]);
-    in {
-      mailer = {
-        ENABLED = true;
-        FROM = "source@jfdic.org";
-      };
-      repository = {
-        DEFAULT_BRANCH = "consensus";
-      };
-      service = {
-        REGISTER_EMAIL_CONFIRM = true;
-      };
-      "markup.restructuredtext" = {
-        ENABLED = true;
-        FILE_EXTENSIONS = ".rst";
-        RENDER_COMMAND = "${docutils}/bin/rst2html.py";
-        IS_INPUT_FILE = false;
-      };
-      ui = {
-        DEFAULT_THEME = "gitea"; # Set the default theme
-      };
-    };
-  };
-
-  systemd = {
-    services = {
-      gitea = {
-        # Ensure gitea starts after nixops keys are loaded
-        after = ["gitea-dbpass-key.service"];
-        wants = ["gitea-dbpass-key.service"];
-      };
-    };
-  };
-
-  services.postgresql = {
-    enable = true; # Ensure postgresql is enabled
-    authentication = ''
-      local gitea all ident map=gitea-users
-    '';
-    identMap =
-      # Map the gitea user to postgresql
-      ''
-        gitea-users gitea gitea
-      '';
-    ensureDatabases = ["gitea"]; # Ensure the database persists
-    ensureUsers = [
-      {
-        name = "gitea"; # Ensure the database user persists
-        ensurePermissions = {
-          # Ensure the database permissions persist
-          "DATABASE gitea" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-        };
-      }
-    ];
-  };
-
-  services.nginx = {
-    enable = true; # Enable Nginx
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    virtualHosts."source.jfdic.org" = {
-      # Gitea hostname
-      enableACME = true; # Use ACME certs
-      forceSSL = true; # Force SSL
-      locations."/".proxyPass = "http://localhost:3002/"; # Proxy Gitea
-    };
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    certs = {
-      "source.jfdic.org".email = "source@jfdic.org";
-    };
-  };
-
-  users.groups.keys.members = ["gitea"]; # Required due to NixOps issue #1204
-}

profiles/hakyll-skeleton.nix

@@ -1,13 +1,13 @@
-# NixOps configuration for deploying the JFDIC website
+# NixOS configuration for deploying the Reciproka Kolektivo website
 {
   self,
   config,
-  inputs,
   pkgs,
   ...
 }: let
-  hakyll-skeleton = import inputs.hakyll-skeleton {};
-  webdomain = "skeleton.jfdic.org";
+  flake = builtins.getFlake (toString ../.);
+  hakyll-skeleton = flake.inputs.hakyll-skeleton.packages."${pkgs.system}".default;
+  webdomain = "skeleton.reciproka.dev";
 in {
   environment.sessionVariables = {
     LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";

profiles/host_common.nix

@@ -1,4 +1,4 @@
-# Configuration common to all JFDIC servers
+# Configuration common to all Reciproka Kolektivo servers
 {
   config,
   pkgs,
@@ -17,9 +17,7 @@
   ];
 
   # Common boot settings
-  boot = {
-    cleanTmpDir = true; # Clean /tmp on reboot
-  };
+  boot.tmp.cleanOnBoot = true; # Clean /tmp on reboot ;
 
   # Select internationalisation properties.
   i18n = {
@@ -29,7 +27,7 @@
   # Set the defaul console properties
   console = {
     keyMap = "us"; # Set the default console key map
-    font = "ter-powerline-v16Rv"; # Set the default console font
+    font = "ter-powerline-v32n"; # Set the default console font
   };
 
   time.timeZone = "Etc/UTC";
@@ -40,12 +38,14 @@
   security.sudo.wheelNeedsPassword = false;
 
   # Configure and install required fonts
-  fonts.enableDefaultFonts = true;
-  fonts.fontDir.enable = true;
-  fonts.fonts = with pkgs; [
-    powerline-fonts # Required for Powerline prompts
-  ];
-  fonts.fontconfig.includeUserConf = false;
+  fonts = {
+    enableDefaultPackages = true;
+    fontDir.enable = true;
+    packages = with pkgs; [
+      powerline-fonts # Required for Powerline prompts
+    ];
+    fontconfig.includeUserConf = false;
+  };
 
   # Adapted from gchristensen and clever
   nix = {
@@ -56,7 +56,7 @@
         cfg =
           pkgs.writeText "configuration.nix"
           ''
-            assert builtins.trace "This system is managed by NixOps." false;
+            assert builtins.trace "This system is managed by Colmena." false;
             {}
           '';
       in "nixos-config=${cfg}")
@@ -69,12 +69,14 @@
       dates = "weekly";
       options = "--delete-older-than 90d";
     };
-    autoOptimiseStore = true;
     extraOptions = ''
       show-trace = true                 # Enable --show-trace by default for nix
       builders-use-substitutes = true   # Set builders to use caches
     '';
-    trustedUsers = ["fiscalvelvetpoet"];
+    settings = {
+      auto-optimise-store = true;
+      trusted-users = ["fiscalvelvetpoet"];
+    };
   };
 
   system.extraSystemBuilderCmds = ''
@@ -106,6 +108,6 @@
     ];
   };
 
-  # Users common across JFDIC Ops:
+  # Users common across Reciproka Ops:
   users.mutableUsers = false; # Remove any users not defined in here
 }

profiles/logrotate.nix

@@ -1,4 +1,4 @@
-# logrotate configuration for NixOS / NixOps
+# logrotate configuration for NixOS
 {config, ...}: {
   services.logrotate = {
     enable = true; # Enable the logrotate service

profiles/neovim.nix

@@ -157,7 +157,7 @@
             set undodir=/tmp/.vim-undo-dir
             set undofile
 
-            " JFDIC Markdown environment
+            " Reciproka Kolektivo Markdown environment
             function! MarkdownSettings()
                 set textwidth=79
                 set spell spelllang=en_au
@@ -165,7 +165,7 @@
             autocmd BufNewFile,BufFilePre,BufRead *.mdwn :call MarkdownSettings()
             autocmd BufNewFile,BufFilePre,BufRead *.md :call MarkdownSettings()
 
-            " JFDIC ReStructured Text environment
+            " Reciproka Kolektivo ReStructured Text environment
             function! ReStructuredSettings()
                 set textwidth=79
                 set spell spelllang=en_au
@@ -176,14 +176,14 @@
             autocmd BufNewFile,BufFilePre,BufRead *.rst :call ReStructuredSettings()
             autocmd BufNewFile,BufFilePre,BufRead *.txt :call ReStructuredSettings()
 
-            " JFDIC LaTeX environment:
+            " Reciproka Kolektivo LaTeX environment:
             function! LaTeXSettings()
                 set textwidth=79
                 set spell spelllang=en_au
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.tex :call LaTeXSettings()
 
-            " Settings for JFDIC Haskell environment:
+            " Settings for Reciproka Kolektivo Haskell environment:
             function! HaskellSettings()
                 set tabstop=2
                 set shiftwidth=2
@@ -192,7 +192,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.hs :call HaskellSettings()
 
-            " Settings for JFDIC Nix environment:
+            " Settings for Reciproka Kolektivo Nix environment:
             function! NixSettings()
                 set tabstop=2
                 set shiftwidth=2
@@ -202,7 +202,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.nix :call NixSettings()
 
-            " Settings for JFDIC Cue environment:
+            " Settings for Reciproka Kolektivo Cue environment:
             function! CueSettings()
                 set noexpandtab
                 set tabstop=2
@@ -212,7 +212,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.cue :call CueSettings()
 
-            " Settings for JFDIC Rust environment:
+            " Settings for Reciproka Kolektivo Rust environment:
             function! RustSettings()
                 set tabstop=4
                 set shiftwidth=4
@@ -222,7 +222,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.rs :call RustSettings()
 
-            " Settings for JFDIC Crystal environment:
+            " Settings for Reciproka Kolektivo Crystal environment:
             function! CrystalSettings()
                 set tabstop=2
                 set shiftwidth=2
@@ -232,7 +232,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.cr :call CrystalSettings()
 
-            " Settings for JFDIC Golang environment:
+            " Settings for Reciproka Kolektivo Golang environment:
             function! GoSettings()
                 set tabstop=7
                 set shiftwidth=7
@@ -240,7 +240,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.go :call GoSettings()
 
-            " Settings for JFDIC Python environment:
+            " Settings for Reciproka Kolektivo Python environment:
             function! PythonSettings()
                 set tabstop=4
                 set shiftwidth=4
@@ -250,7 +250,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.py :call PythonSettings()
 
-            " JFDIC Mutt environment
+            " Reciproka Kolektivo Mutt environment
             function! MuttSettings()
                 set textwidth=79
                 set spell spelllang=en_au
@@ -261,7 +261,7 @@
             autocmd BufNewFile,BufFilePre,BufRead mutt-* :call MuttSettings()
             autocmd BufNewFile,BufFilePre,BufRead neomutt-* :call MuttSettings()
 
-            " Settings for JFDIC C environment:
+            " Settings for Reciproka Kolektivo C environment:
             function! CSettings()
                 set tabstop=2
                 set shiftwidth=2
@@ -270,7 +270,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.c :call CSettings()
 
-            " Settings for JFDIC YAML environment:
+            " Settings for Reciproka Kolektivo YAML environment:
             function! YAMLSettings()
                 set tabstop=2
                 set shiftwidth=2
@@ -284,7 +284,7 @@
             autocmd BufNewFile,BufFilePre,BufRead *.yaml :call YAMLSettings()
             autocmd BufNewFile,BufFilePre,BufRead *.yml :call YAMLSettings()
 
-            " Settings for JFDIC Bash environment:
+            " Settings for Reciproka Kolektivo Bash environment:
             function! BashSettings()
                 set tabstop=4
                 set shiftwidth=4

profiles/nix-direnv.nix

@@ -1,4 +1,4 @@
-# NixOps configuration nix-direnv
+# Nix configuration nix-direnv
 {
   config,
   pkgs,
@@ -16,11 +16,11 @@
   environment = {
     systemPackages = with pkgs; [
       direnv # A shell extension that manages your environment
-      nix-direnv # A fast, persistent use_nix implementation for direnv
-    ];
-    pathsToLink = [
-      "/share/nix-direnv"
+      #nix-direnv # A fast, persistent use_nix implementation for direnv
     ];
+    #  pathsToLink = [
+    #    "/share/nix-direnv"
+    #  ];
   };
 
   nixpkgs.overlays = [

profiles/openssh.nix

@@ -7,9 +7,6 @@
 }: {
   services.openssh = {
     enable = true; # Enable the OpenSSH daemon.
-    permitRootLogin = "prohibit-password";
-    kbdInteractiveAuthentication = false;
-    passwordAuthentication = false;
     openFirewall = true;
     hostKeys = [
       {
@@ -17,5 +14,10 @@
         type = "ed25519";
       }
     ];
+    settings = {
+      KbdInteractiveAuthentication = false;
+      PasswordAuthentication = false;
+      PermitRootLogin = "prohibit-password";
+    };
   };
 }

profiles/reciproka-forgejo.nix

@@ -0,0 +1,118 @@
+# Nix configuration for the Reciproka Kolectivo Forgejo service
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  flake = builtins.getFlake (toString ../.);
+  nixpkgsUnstable = flake.inputs.nixpkgsUnstable;
+in {
+  services.forgejo = {
+    enable = true; # Enable Forgejo
+    appName = "Reciproka Kolektivo: Forgejo Service"; # Give the site a name
+    database = {
+      type = "postgres"; # Database type
+      passwordFile = config.age.secrets.forgejo.path;
+    };
+    domain = "reciproka.dev"; # Domain name
+    httpPort = 3002; # Provided unique port
+    rootUrl = "https://reciproka.dev/"; # Root web URL
+    settings = let
+      DEFAULT.APP_NAME = "Reciproka Kolektivo: Forgejo Service"; # Give the site a name
+      server = {
+        DOMAIN = "reciproka.dev"; # Domain name
+        HTTP_PORT = 3002; # Provided unique port
+        ROOT_URL = "https://reciproka.dev/"; # Root web URL
+      };
+    in {
+      mailer = {
+        ENABLED = true;
+        FROM = "fonto@reciproka.dev";
+      };
+      repository = {
+        DEFAULT_BRANCH = "consensus";
+      };
+      service = {
+        DISABLE_REGISTRATION = true;
+        REGISTER_EMAIL_CONFIRM = true;
+      };
+      "markup.restructuredtext" = {
+        ENABLED = true;
+        FILE_EXTENSIONS = ".rst";
+        RENDER_COMMAND = "timeout 30s ${pkgs.pandoc}/bin/pandoc +RTS -M512M -RTS -f rst";
+        IS_INPUT_FILE = false;
+      };
+      ui = {
+        DEFAULT_THEME = "forgejo-auto"; # Set the default theme
+        THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,arc-green,forgejo";
+      };
+    };
+  };
+
+  systemd = {
+    services = {
+      forgejo = {
+        # Ensure forgejo starts after keys are loaded
+        after = ["forgejo-dbpass-key.service"];
+        wants = ["forgejo-dbpass-key.service"];
+      };
+    };
+  };
+
+  services.postgresql = {
+    enable = true; # Ensure postgresql is enabled
+    authentication = ''
+      local forgejo all ident map=forgejo-users
+    '';
+    identMap =
+      # Map the forgejo user to postgresql
+      ''
+        forgejo-users forgejo forgejo
+      '';
+    ensureDatabases = ["forgejo"]; # Ensure the database persists
+    ensureUsers = [
+      {
+        name = "forgejo"; # Ensure the database user persists
+        ensureDBOwnership = true;
+      }
+    ];
+    package = pkgs.postgresql_16;
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    compression = "zstd";
+    databases = ["forgejo"];
+    startAt = "*-*-* 15:00:00";
+  };
+
+  services.nginx = {
+    enable = true; # Enable Nginx
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts."source.jfdic.org" = {
+      enableACME = true; # Use ACME certs
+      forceSSL = true; # Force SSL
+      locations."/" = {
+        return = "301 https://reciproka.dev$request_uri";
+      };
+    };
+    virtualHosts."reciproka.dev" = {
+      # Forgejo hostname
+      enableACME = true; # Use ACME certs
+      forceSSL = true; # Force SSL
+      locations."/".proxyPass = "http://localhost:3002/"; # Proxy Forgejo
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs = {
+      "reciproka.dev".email = "admin@reciproka.co";
+      "source.jfdic.org".email = "admin@reciproka.co";
+    };
+  };
+}

profiles/reciproka-web.nix

@@ -1,13 +1,13 @@
-# NixOps configuration for deploying the JFDIC website
+# Nix configuration for deploying the Reciproka Kolektivo website
 {
   self,
   config,
-  inputs,
   pkgs,
   ...
 }: let
-  jfdic-web = import inputs.jfdic-web {};
-  webdomain = "jfdic.org";
+  flake = builtins.getFlake (toString ../.);
+  reciproka-web = flake.inputs.reciproka-web.packages."${pkgs.system}".default;
+  webdomain = "reciproka.net";
 in {
   environment.sessionVariables = {
     LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
@@ -24,11 +24,18 @@ in {
         # website hostname
         enableACME = true; # Use ACME certs
         forceSSL = true; # Force SSL
-        root = "${jfdic-web}"; # Wesbite root
+        root = "${reciproka-web}"; # Wesbite root
       };
       "www.${webdomain}" = {
         # Respect our elders :-)
         locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
+        enableACME = true; # Use ACME certs
+        forceSSL = true; # Force SSL
+      };
+      "reciproka.co" = {
+        locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
+        enableACME = true; # Use ACME certs
+        forceSSL = true; # Force SSL
       };
     };
   };
@@ -36,10 +43,9 @@ in {
   security.acme = {
     acceptTerms = true;
     certs = {
-      "${webdomain}" = {
-        email = "admin@${webdomain}";
-        #group = "matrix-synapse";
-      };
+      "${webdomain}" = {email = "admin@${webdomain}";};
+      "www.${webdomain}" = {email = "admin@${webdomain}";};
+      "reciproka.co" = {email = "admin@${webdomain}";};
     };
   };
 

profiles/resrok-web.nix

@@ -1,12 +1,12 @@
-# NixOps configuration for deploying the JFDIC website
+# NixOS configuration for deploying the Resilient Rockhampton website
 {
   self,
   config,
-  inputs,
   pkgs,
   ...
 }: let
-  resrok-web = import inputs.resrok-web {};
+  flake = builtins.getFlake (toString ../.);
+  resrok-web = import flake.inputs.resrok-web {};
   webdomain = "resrok.org";
 in {
   environment.sessionVariables = {

profiles/server_common.nix

@@ -1,4 +1,4 @@
-# Configuration common to all JFDIC servers
+# Configuration common to all Reciproka Kolektivo servers
 {
   config,
   pkgs,
@@ -7,8 +7,7 @@
 }: {
   imports = [
     ../profiles/openssh.nix
-    ../secrets/user-fiscalvelvetpoet.nix
-    ../secrets/user-root.nix
+    ../profiles/users.nix
   ];
 
   programs.mosh = {

profiles/tmateServer.nix

@@ -3,6 +3,6 @@
   services.tmate = {
     enable = true;
     openFirewall = true;
-    sshHostname = "tmate.jfdic.org";
+    sshHostname = "tmate.reciproka.co";
   };
 }

profiles/users.nix

@@ -0,0 +1,37 @@
+# User configuration common to all Reciproka Kolektivo servers
+{
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets = {
+    root.file = ../secrets/root.age;
+    fiscalvelvetpoet.file = ../secrets/fiscalvelvetpoet.age;
+  };
+
+  # Reciproka Ops groups:
+  users.groups.fiscalvelvetpoet.gid = 1000;
+
+  # Reciproka Ops Users
+  users.users.fiscalvelvetpoet = {
+    isNormalUser = true;
+    uid = 1000;
+    group = "fiscalvelvetpoet";
+    extraGroups = ["wheel"];
+    # fix this
+    hashedPasswordFile = config.age.secrets.fiscalvelvetpoet.path;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@reciproka"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
+    ];
+  };
+
+  users.users.root = {
+    # fix this
+    hashedPasswordFile = config.age.secrets.root.path;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@reciproka"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
+    ];
+  };
+}

profiles/voc-web.nix

@@ -1,12 +1,12 @@
-# NixOps configuration for deploying the Voices of Capricornia website
+# Nix configuration for deploying the Voices of Capricornia website
 {
   self,
   config,
-  inputs,
   pkgs,
   ...
 }: let
-  voc-web = import inputs.voc-web {};
+  flake = builtins.getFlake (toString ../.);
+  voc-web = import flake.inputs.voc-web {};
   webdomain = "voicesofcapricornia.org";
 in {
   environment.sessionVariables = {

profiles/zsh.nix

@@ -1,4 +1,4 @@
-# Configuration common to all JFDIC servers
+# Configuration common to all Reciproka Kolektivo servers
 {
   config,
   pkgs,

secrets/fiscalvelvetpoet.age

@@ -0,0 +1,21 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBSMUhj
+Zk9XdkxaZkpXYkF3K2lpbkR5dmZYYzJhUi9UanpBVEI1S2IvZXhNCnpyT09mZHNv
+YktCcUd5Y2w1bnNNajFjaWl6Um9yWFpUTkFGdjRINnZFRW8KLT4gc3NoLWVkMjU1
+MTkgUWQwZXBRIHE3RXdLUC82TVNJdHIvU2xnWGF1QktCZGkxbFhsT0dxVDRZZWgy
+aVBUbDQKUkxqdTc5ZlhQaG5OOXhtSVBlR2FCR2c3ZGR2cnFUWnN0WkQxRDRlWlg1
+YwotPiBzc2gtZWQyNTUxOSB1N1ozancgR2pTOVZ5cGpmdzMzT1ZYelAwTTI1TVpG
+QUdlZ0xBZEo4NkpoZlZEVGlFTQpFelJDQ0RKaFFsVlRESERmMWJIQjZJcmh1QzBI
+VFU3QmZGZ2JKcFMyNmJrCi0+IHNzaC1lZDI1NTE5IFpEOGxNdyBYSHdCdXJRTUVI
+eDFJZHRHY2JhUTRha1JNRFg5c3ppbVo0OGdQSXdPOUdJCjBFSTVpd2JWd2xkTjZx
+VDVuMlVHb1Z1aEhYU2kxWkpwV2hJUDZQRzNkckUKLT4gc3NoLWVkMjU1MTkgZjVU
+aEFnIG1zay9zeUFtd3dkOTJQUFR6S0ZnUm9jbmQ0TkJQU2pJTTYrMmNEaE5KeTAK
+WXN2OFM2anNYYXF6Wk9rUnFjQzNGSjdhTGFyVDhhd1dORWxRaUpuRG9XUQotPiBe
+d3pXUTxFLWdyZWFzZSBvVT16IFw3Oz02IGQ/ZFVjQS4KVnBKTVc0YzR3SEhaOS80
+bzE1NXMxaHh1QStNaXZ4eGZrbDdrV0k5YW5rQTdKbGJsbzZsRzFLMi9veTAKLS0t
+IGdEblEzcTdkcWVFVURycTJsTUl5MHEySUdTRTJub1hMVnJNekMxQTAxTGcKot0G
+3I1FgBm5Hw3MkQXfRdX6FgzAAEmH0t+v8R087u7vDbzVFVwVWGm4qQuHTwYNa1Yu
+5gcM8LAg9N/ZV6Mc7+OlqKoKTs6S+VhphfbuDPrwJZUJT/OO30MgEdgemZ+JtQoA
+O5str1O/0MBTQRyqJglcIjD2rPQcl9cZQupvJeaTOkdoLQ3Pv8aUrZBg3yHg6JX4
+N5siGxgv/NfGcpCvkUM=
+-----END AGE ENCRYPTED FILE-----

secrets/forgejo.age

@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBuMjdR
+ZzN1QTRIend1TWhLSDZzQ0JQUG9tZFdGZUo4QUljV3pnaEdDR1VzCi9PRXFnTDlD
+NFhtYW4reHphUFFqUVBDd2pxY2liOXgwRUlIZzcvZTdWWTAKLT4gc3NoLWVkMjU1
+MTkgZjVUaEFnIGRvQUFSMzFzVmZLT0Z4SlczNmdicThCYklBbisvcmlzejI4b3Jm
+ZVRTVmsKWDlKTkV6STJaSEVDL0tMVmMvcUt0L3pOS0xXU281bjRXSkJDSXloLzZE
+OAotPiBVLWdyZWFzZSBCZTMgM01ZIEd0OWcKdnMvd0FJOEhmQTdTcElld0JsNXdD
+bS9hWUtHam1PR0tyTmowck1rVEEzZXc0QjhWNjVNZVU0anRCS1lrMkRtVApQcVdV
+djJORHppTEFib1VLOC9LbG5OdWhNdEZKWGJyQ3Z6dUFTOEw5WjZsT2E4SDRSSUlK
+aEpWRUNYRlZTdwotLS0geFBJK21QRGZxd3lZRjZRanhDeFRDTTd6T1p2UGhiNXBm
+NnhaWkptcDFsYwqWryUWy5DtJHpelFVJu9DnS2rUS9JVnjIHCj2MNYrs6f5cxzZP
+4+CUjz1Agu+ODFUvsl/ccIvcaS0=
+-----END AGE ENCRYPTED FILE-----

secrets/root.age

@@ -0,0 +1,22 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBsWm9s
+UzB6bzM2VU9IR3Y2MUcrdmtJTk1nM3h0VFV4WFNaaU9pZ0pHMWxBClpiRDZ3VVU1
+VkE5SHhJZXc4RGJOenY3Qzc1eXN6Y1M2d1ZnU1dIbHFvQUUKLT4gc3NoLWVkMjU1
+MTkgUWQwZXBRIGVCZURhelZkTFpoRldaVlZoZzVBenBjbEROUlIrTERnN2VpNmhP
+dVFNSDQKNXNWNU5iOGRBV3ZMVzdSVXRPSTkvQzJpblVsbERJekM0VHdnbEwyd0tG
+VQotPiBzc2gtZWQyNTUxOSB1N1ozancgY2pvTllQbytTbDBZaHlSbVFxa2ZYbmFt
+OTlvYTQrMUcybVdJd2gxb2Jsbwo4RXBLMkdYSFY3aHYxSGZnS0h4S21ablBueFBz
+L2JFaEhaYWR5VFFNQzhVCi0+IHNzaC1lZDI1NTE5IFpEOGxNdyBDZGNmblJIWGtx
+QWhEeldzVGZmUWJ6anM4Y2hTT0tpUVNpNDVyRDJRQ240Clk2bmpCVlI4RWduRS80
+cVRVWWwycDdtdVpFS25BSDAzOEh5YUcxdW9GclkKLT4gc3NoLWVkMjU1MTkgZjVU
+aEFnIDZBbXVIQVdoaVl6TlZXR1FmeEtwL0hBNWc4c0lvSFlQTzZVc1VJZ09PMXcK
+VnhFVVg4eTZiRU1YbUhxUzJrYXRUeWpVVFdOSWpUNHNvUWZCRXd1U3Y3VQotPiBB
+IW9WfGMlLWdyZWFzZQo2WmhadWt6cFZ3S2FONDFIWUFPWWpMOXFRT1d2alNPajVI
+aUJrdmVVT1J1OHA3Uy9LMjdadSs4RnhldGNxWGNtCitJSHhKSlhnMzI0UDdtSFBX
+T0tuY0NvRkI5Q0F6YkJmSHI3aFlReHJORVNLL1RJMkI5QUt5NllmcGcKLS0tIGFQ
+YXpDdDhnR05PaGQ0WEdVd2hMUURnRmtnbDVvWkt0ZDNtaVhxT0ZIbFUKcYbxjmgx
+v7X82tsU3fuTUo9l2q3HmHECwKlvyqsXyyJst+/jJgANfE7/tHm0t6Dm4fPgBvdN
+0AqTDx1p7PLvfQhMuhD2G9mHGLwcom3xUOI8h6JkMCv+bojWD9RCEB+wsAwfCzVV
+pStMrMl6copsy1/E4yXkkm+kBgIMFeGzQvRyZ+UCri0rjzsGFQWEgUgD3fFcNJIq
+HCYi0uW970YK2qI=
+-----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -0,0 +1,22 @@
+# Used by ragenix nix only.
+# Ensure that $RULES has been set via direnv
+# Edit a key: `agenix -i ~/.ssh/id_ed25519 -e secrets/someKey.age`
+# run `ragenix -r -i /path/to/your/key` after modifying any keys below
+#
+# Re-keying is required after adding new hosts or keys:
+# run `ragenix -r -i /path/to/your/key`
+let
+  fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so";
+  ops = [fiscalvelvetpoet];
+  users = [fiscalvelvetpoet];
+
+  flemming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK16f3Fjj0BY9vjtXahezMAP3I329hHEQXCceRTkr+Yu";
+  hollows = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGB8EUbqoarM4GmPgE2DBF4z/L6wVNc+lF27Z83XDUz";
+  pred = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMK5BOK1ldtZ+SV4QxfNm/PfOLOWv3/VHf/JbdMMoMzw";
+  toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE";
+  systems = [flemming hollows pred toscano];
+in {
+  "root.age".publicKeys = ops ++ systems;
+  "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;
+  "forgejo.age".publicKeys = [fiscalvelvetpoet toscano];
+}

shell.nix

@@ -1,16 +1,19 @@
 {
   pkgs ? import <nixpkgs> {},
+  ragenix,
   alejandra,
   mkShell,
-  nixops,
+  colmena,
   nix,
 }:
 with pkgs;
   mkShell {
     buildInputs = [
+      ragenix # CLI management of secrets encrypted via existing SSH keys
       alejandra # The Uncompromising Nix Code Formatter
-      nixops
-      nix
+      colmena # simple, stateless NixOS deployment tool
+      nix # Powerful package manager that makes package management reliable and reproducible
+      tea # Gitea official CLI client
       treefmt # one CLI to format the code tree
     ];
   }