trajto(reciproka-web): konverti al floko

resolves #13

flake.nix

@@ -8,18 +8,16 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     hakyll-skeleton = {
-      flake = false;
+      url = "git+https://reciproka.dev/reciproka/hakyll-skeleton/?ref=consensus";
-      url = git+https://reciproka.dev/reciproka/hakyll-skeleton/?ref=consensus;
+      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    reciproka-web = {
-      flake = false;
-      url = git+https://reciproka.dev/reciproka/reciproka-web/?ref=consensus;
     };
+    reciproka-web.url = "git+https://reciproka.dev/reciproka/reciproka-web/?ref=consensus";
     resrok-web = {
       flake = false;
       url = git+https://reciproka.dev/resrok/resrok-web/?ref=consensus;
     };
-    nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-23.11;
+    nix.url = github:NixOS/nix/?ref=2.24.6;
+    nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-24.05;
     nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable;
     utils.url = "github:numtide/flake-utils";
     voc-web = {

hardware/binaryLane_vm.nix

@@ -0,0 +1,51 @@
+# Configuration common to all Reciproka Kolektivo Binary Lane VMs
+{
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix") # Import the NixOS Qemu guest settings
+    ../profiles/host_common.nix
+    ../profiles/server_common.nix
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["ata_piix" "sr_mod" "uhci_hcd" "virtio_blk" "virtio_pci"];
+    };
+    loader = {
+      grub = {
+        enable = true;
+        device = "/dev/vda";
+      };
+    };
+  };
+
+  # File systems configuration for the Linode VMs
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-label/swap";
+    }
+  ];
+
+  nix.settings.max-jobs = lib.mkDefault 4;
+
+  networking = {
+    domain = "reciproka.co";
+    useDHCP = lib.mkDefault true;
+    firewall = {
+      enable = true;
+      trustedInterfaces = ["lo"];
+    };
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hardware/raspberry_pi_3_model_B.nix

@@ -24,6 +24,7 @@
     loader = {
       generic-extlinux-compatible = {
         enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
+        configurationLimit = 5;
       };
       grub = {
         enable = false; # NixOS wants to enable GRUB by default.
@@ -31,7 +32,6 @@
       raspberryPi = {
         enable = false;
         version = 3;
-        uboot.enable = true;
         firmwareConfig = ''
           arm_64bit=1            # Force kernel loading system to assume a 64-bit kernel
           display_auto_detect=1  # Enable auto detection of screen resolution

nixos/hosts/flemming/default.nix

@@ -15,6 +15,7 @@
 }: {
   imports = [
     ../../../networks/pi3B_rack.nix
+    ../../../profiles/hakyll-skeleton.nix
   ];
 
   # Comment out deployment when building the SD Image.

nixos/hosts/hollows/default.nix

@@ -0,0 +1,25 @@
+# NixOS configuration for flemming
+#
+# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist
+# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its
+# grave diggers in Australia
+#
+# https://en.wikipedia.org/wiki/Andy_Fleming_(activist)
+# https://slackbastard.anarchobase.com/
+# https://www.3cr.org.au/yeahnahpasaran
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ../../../networks/pi3B_rack.nix
+  ];
+
+  # Comment out deployment when building the SD Image.
+  deployment.targetHost = "10.42.0.203";
+  networking.hostName = "hollows"; # Define your hostname.
+
+  system.stateVersion = "22.05"; # The version of NixOS originally installed
+}

nixos/hosts/pred/default.nix

@@ -0,0 +1,33 @@
+# NixOS configuration for pred
+#
+# <predator>, AKA Michael Carlton or just "pred", was an Australian
+# anarcho-sydnicalist who helped set up Catalyst, a radical community activist
+# tech collective in Sydney, Australia. They went on to provide information
+# technology services for a wide range of activist and commmunity based
+# organisations around both Sydney and Australia. In the process, knowledge was
+# shared, skills were learned and taught - from building and maintaining
+# hardware to writing computer code. It was from this original initiative that
+# an open-posting model of web publishing was developed for the J18 protest
+# that occured worldwide in 1999. The codebase was named 'Active' and went on
+# to power the first Indymedia site. As they say, "the rest is history."
+#
+# Rest in Power, Pred, we miss ya.
+#
+# https://archive.org/stream/PredTxt/Pred-txt_djvu.txt
+# https://indymedia.org.au/2012/04/25/interview-with-pred-predaor-mike-carlton.html
+# https://www.youtube.com/watch?v=Cfe3ExZivdQ
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../../../hardware/binaryLane_vm.nix
+  ];
+
+  # Comment out deployment when building the SD Image.
+  deployment.targetHost = "203.57.51.158";
+  networking.hostName = "pred"; # Define your hostname.
+
+  system.stateVersion = "23.11"; # The version of NixOS originally installed
+}

nixos/hosts/toscano/configuration.nix

@@ -13,7 +13,6 @@
 }: {
   imports = [
     ../../../networks/linode.nix
-    ../../../profiles/hakyll-skeleton.nix
     ../../../profiles/reciproka-web.nix
     ../../../profiles/reciproka-forgejo.nix
     ../../../profiles/resrok-web.nix

outputs.nix

@@ -4,6 +4,7 @@
   reciproka-web,
   ragenix,
   colmena,
+  nix,
   nixpkgs,
   nixpkgsUnstable,
   resrok-web,
@@ -17,6 +18,7 @@ in {
   devShell =
     pkgs.callPackage
     ./shell.nix {
+      inherit (nix.packages."${pkgs.system}") nix;
       inherit (ragenix.packages."${pkgs.system}") ragenix;
       inherit (colmena.packages."${pkgs.system}") colmena;
       inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
@@ -32,16 +34,29 @@ in {
         overlays = [];
       };
     };
+    defaults = {pkgs, ...}: {
+      imports = [
+        ragenix.nixosModules.default
+      ];
+    };
     flemming = {
       imports = [
         ./nixos/hosts/flemming
-        ragenix.nixosModules.default
+      ];
+    };
+    hollows = {
+      imports = [
+        ./nixos/hosts/hollows
+      ];
+    };
+    pred = {
+      imports = [
+        ./nixos/hosts/pred
       ];
     };
     toscano = {
       imports = [
         ./nixos/hosts/toscano/configuration.nix
-        ragenix.nixosModules.default
       ];
     };
   };

profiles/hakyll-skeleton.nix

@@ -6,8 +6,8 @@
   ...
 }: let
   flake = builtins.getFlake (toString ../.);
-  hakyll-skeleton = import flake.inputs.hakyll-skeleton {};
+  hakyll-skeleton = flake.inputs.hakyll-skeleton.packages."${pkgs.system}".default;
-  webdomain = "skeleton.reciproka.co";
+  webdomain = "skeleton.reciproka.dev";
 in {
   environment.sessionVariables = {
     LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";

profiles/reciproka-forgejo.nix

@@ -19,12 +19,12 @@ in {
     httpPort = 3002; # Provided unique port
     rootUrl = "https://reciproka.dev/"; # Root web URL
     settings = let
+      DEFAULT.APP_NAME = "Reciproka Kolektivo: Forgejo Service"; # Give the site a name
       server = {
         DOMAIN = "reciproka.dev"; # Domain name
         HTTP_PORT = 3002; # Provided unique port
         ROOT_URL = "https://reciproka.dev/"; # Root web URL
       };
-      service.DISABLE_REGISTRATION = true;
     in {
       mailer = {
         ENABLED = true;
@@ -34,6 +34,7 @@ in {
         DEFAULT_BRANCH = "consensus";
       };
       service = {
+        DISABLE_REGISTRATION = true;
         REGISTER_EMAIL_CONFIRM = true;
       };
       "markup.restructuredtext" = {
@@ -73,11 +74,7 @@ in {
     ensureUsers = [
       {
         name = "forgejo"; # Ensure the database user persists
-        ensurePermissions = {
+        ensureDBOwnership = true;
-          # Ensure the database permissions persist
-          "DATABASE forgejo" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-        };
       }
     ];
     package = pkgs.postgresql_16;

profiles/reciproka-web.nix

@@ -6,8 +6,8 @@
   ...
 }: let
   flake = builtins.getFlake (toString ../.);
-  reciproka-web = import flake.inputs.reciproka-web {};
+  reciproka-web = flake.inputs.reciproka-web.packages."${pkgs.system}".default;
-  webdomain = "reciproka.co";
+  webdomain = "reciproka.net";
 in {
   environment.sessionVariables = {
     LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
@@ -29,6 +29,13 @@ in {
       "www.${webdomain}" = {
         # Respect our elders :-)
         locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
+        enableACME = true; # Use ACME certs
+        forceSSL = true; # Force SSL
+      };
+      "reciproka.co" = {
+        locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
+        enableACME = true; # Use ACME certs
+        forceSSL = true; # Force SSL
       };
     };
   };
@@ -36,10 +43,9 @@ in {
   security.acme = {
     acceptTerms = true;
     certs = {
-      "${webdomain}" = {
+      "${webdomain}" = {email = "admin@${webdomain}";};
-        email = "admin@${webdomain}";
+      "www.${webdomain}" = {email = "admin@${webdomain}";};
-        #group = "matrix-synapse";
+      "reciproka.co" = {email = "admin@${webdomain}";};
-      };
     };
   };
 

secrets/fiscalvelvetpoet.age

@@ -1,16 +1,21 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBXZGxN
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBSMUhj
-eVRsL3QyT1BPc1dOWmt4Z213czlHV1gwV0JldkRQREZ1YkZtRjNnCm9yMlpSV1dK
+Zk9XdkxaZkpXYkF3K2lpbkR5dmZYYzJhUi9UanpBVEI1S2IvZXhNCnpyT09mZHNv
-R2szbEtnQ2tUOXJzWGMyUk9BQldkbjVCa1RwejJ6U01JdGsKLT4gc3NoLWVkMjU1
+YktCcUd5Y2w1bnNNajFjaWl6Um9yWFpUTkFGdjRINnZFRW8KLT4gc3NoLWVkMjU1
-MTkgUWQwZXBRIFJ0TmhHZHVqam1wWkFRbUFHSWFEYk9CbzVmWnYwUWtjZ3hsQ3Z5
+MTkgUWQwZXBRIHE3RXdLUC82TVNJdHIvU2xnWGF1QktCZGkxbFhsT0dxVDRZZWgy
-Y1JYRDgKajR1a3Nnay9SeFlId2ZDTDd6VVNlZXRpY0h3cTh0R3ExUWRRcGovbVl3
+aVBUbDQKUkxqdTc5ZlhQaG5OOXhtSVBlR2FCR2c3ZGR2cnFUWnN0WkQxRDRlWlg1
-cwotPiBzc2gtZWQyNTUxOSBmNVRoQWcgN3BhVlk2Q0Z4RksvL1dLUmhCZFd1VUNs
+YwotPiBzc2gtZWQyNTUxOSB1N1ozancgR2pTOVZ5cGpmdzMzT1ZYelAwTTI1TVpG
-ZmtqREtpMDAzWkRyMGZML016cwpKKzloVUxLWWcxcjZOQ2czaSt1b1hqTkFrSUc2
+QUdlZ0xBZEo4NkpoZlZEVGlFTQpFelJDQ0RKaFFsVlRESERmMWJIQjZJcmh1QzBI
-bUJUV2crYUl3TVhQUzBzCi0+IDxSI243aidNLWdyZWFzZSBPIVk1J2QKa3RGampV
+VFU3QmZGZ2JKcFMyNmJrCi0+IHNzaC1lZDI1NTE5IFpEOGxNdyBYSHdCdXJRTUVI
-dlBKMitIV0ltUGhDNFcwK0c5dGFOSHJaRjlRZUppNXJPbmFFZnkwZkZKOHBmMk9P
+eDFJZHRHY2JhUTRha1JNRFg5c3ppbVo0OGdQSXdPOUdJCjBFSTVpd2JWd2xkTjZx
-ZmV2L1NZbzF5Kwo3Vlk5Ci0tLSA3MkZtc2V5QXRBLzg3eTNGZkRTZVo4K1hQbkR5
+VDVuMlVHb1Z1aEhYU2kxWkpwV2hJUDZQRzNkckUKLT4gc3NoLWVkMjU1MTkgZjVU
-cDUwakRsMjBXWms1U0YwCuls+HqLpYE1XR6thkvMuUi/HALGGLyrzLhgDQp/2fDd
+aEFnIG1zay9zeUFtd3dkOTJQUFR6S0ZnUm9jbmQ0TkJQU2pJTTYrMmNEaE5KeTAK
-qf27fBHxGH+LUVE/AtkcEuYvqRGOV92MFHP42wARbzTHPoT+JEtbJH9pghCRHE8l
+WXN2OFM2anNYYXF6Wk9rUnFjQzNGSjdhTGFyVDhhd1dORWxRaUpuRG9XUQotPiBe
-Zi52BJ+9Erk+AGvDyS02ziP5bstBs2uWt9y143tjuZAPLEcKAeWaPmUzxpj+zd4w
+d3pXUTxFLWdyZWFzZSBvVT16IFw3Oz02IGQ/ZFVjQS4KVnBKTVc0YzR3SEhaOS80
-3/5keHREdbw9xhJiXYYz55K26V/vyqHm9fz5tP32GhN0
+bzE1NXMxaHh1QStNaXZ4eGZrbDdrV0k5YW5rQTdKbGJsbzZsRzFLMi9veTAKLS0t
+IGdEblEzcTdkcWVFVURycTJsTUl5MHEySUdTRTJub1hMVnJNekMxQTAxTGcKot0G
+3I1FgBm5Hw3MkQXfRdX6FgzAAEmH0t+v8R087u7vDbzVFVwVWGm4qQuHTwYNa1Yu
+5gcM8LAg9N/ZV6Mc7+OlqKoKTs6S+VhphfbuDPrwJZUJT/OO30MgEdgemZ+JtQoA
+O5str1O/0MBTQRyqJglcIjD2rPQcl9cZQupvJeaTOkdoLQ3Pv8aUrZBg3yHg6JX4
+N5siGxgv/NfGcpCvkUM=
 -----END AGE ENCRYPTED FILE-----

secrets/forgejo.age

@@ -1,12 +1,13 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyB1VGRL
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBuMjdR
-OHRURUVFSjhzMmRmQWI1MnNrMUJDNlVEeHYrTTNQN0syV0xNSHlFCnBLSFNIMUpw
+ZzN1QTRIend1TWhLSDZzQ0JQUG9tZFdGZUo4QUljV3pnaEdDR1VzCi9PRXFnTDlD
-akZZenB4WWNwRWZ1WHh3ZmZURkZDUmR3WVFHMC9QZXZSZTQKLT4gc3NoLWVkMjU1
+NFhtYW4reHphUFFqUVBDd2pxY2liOXgwRUlIZzcvZTdWWTAKLT4gc3NoLWVkMjU1
-MTkgZjVUaEFnIDIvUmk5NTZ2N29zRTE4MG9NRjk2VEtZbHdMZ3U4bHpVMnFCbHgr
+MTkgZjVUaEFnIGRvQUFSMzFzVmZLT0Z4SlczNmdicThCYklBbisvcmlzejI4b3Jm
-NXlXMUkKcmtkVE4rRnRyWGRDd1RVK2djVlkxRnArQWJSOTJRTEIySjRKZUtvYWtB
+ZVRTVmsKWDlKTkV6STJaSEVDL0tMVmMvcUt0L3pOS0xXU281bjRXSkJDSXloLzZE
-dwotPiBhdi1ncmVhc2UgeFlgICp7MXZ4ClBBVUUzQTVKMDFZMVFUdlRvUE9GaXFv
+OAotPiBVLWdyZWFzZSBCZTMgM01ZIEd0OWcKdnMvd0FJOEhmQTdTcElld0JsNXdD
-clBVUlcvTDhmMVpCWHdjenJpTlIrNlJ6MDJZZTFEWE5QN3Y1dUFFZDMKYWdRaWor
+bS9hWUtHam1PR0tyTmowck1rVEEzZXc0QjhWNjVNZVU0anRCS1lrMkRtVApQcVdV
-Nk1lSzZoZFlGSG1WVTVxTVRJdjlmNFdGK3k2RnMKLS0tIE5Dcmh2THcvWmNCbXVS
+djJORHppTEFib1VLOC9LbG5OdWhNdEZKWGJyQ3Z6dUFTOEw5WjZsT2E4SDRSSUlK
-V3lIbHB6UVlnUm10TjhRMURvbEFVdVhURVM0UGcKQ9Mo+lNHm5eeutxfecchV7Yb
+aEpWRUNYRlZTdwotLS0geFBJK21QRGZxd3lZRjZRanhDeFRDTTd6T1p2UGhiNXBm
-593Y2GZGoxQTzIWXoWZkzPkeDxLOpUk+OTkgnNclDJ9xPXyanTSS
+NnhaWkptcDFsYwqWryUWy5DtJHpelFVJu9DnS2rUS9JVnjIHCj2MNYrs6f5cxzZP
+4+CUjz1Agu+ODFUvsl/ccIvcaS0=
 -----END AGE ENCRYPTED FILE-----

secrets/root.age

@@ -1,15 +1,22 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBaeFBB
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBsWm9s
-cWc4V2pHNU40Q0xMRXgxRVdFZWRRZTh5NDhPNlhDZEd3Tk4zc0c4CmJrSTFoanBw
+UzB6bzM2VU9IR3Y2MUcrdmtJTk1nM3h0VFV4WFNaaU9pZ0pHMWxBClpiRDZ3VVU1
-dG9pYmJIVCs2TzkxazJjV1ptRzlSZkRmU2NGT0dtWkZHR0kKLT4gc3NoLWVkMjU1
+VkE5SHhJZXc4RGJOenY3Qzc1eXN6Y1M2d1ZnU1dIbHFvQUUKLT4gc3NoLWVkMjU1
-MTkgUWQwZXBRIFdBWmljU0F0U3UrWXEyZnl2MGY5VThxVmE1QkwyMmswRVRFRGFl
+MTkgUWQwZXBRIGVCZURhelZkTFpoRldaVlZoZzVBenBjbEROUlIrTERnN2VpNmhP
-YnpYMDQKekZQOTFQeStBUTNTSW1ibUdHM05YSDBxUFY4dGVhTkpHejUwTklCTUpM
+dVFNSDQKNXNWNU5iOGRBV3ZMVzdSVXRPSTkvQzJpblVsbERJekM0VHdnbEwyd0tG
-YwotPiBzc2gtZWQyNTUxOSBmNVRoQWcgSzAzMGFvVERReU1nRVhvdHdVK0FzajJj
+VQotPiBzc2gtZWQyNTUxOSB1N1ozancgY2pvTllQbytTbDBZaHlSbVFxa2ZYbmFt
-VFZ3aXY1aWl1UW5ReDl4VHBrMApJYm9iRlVQUGNPWlpxcy9MTExhcnZrT0J6UDE0
+OTlvYTQrMUcybVdJd2gxb2Jsbwo4RXBLMkdYSFY3aHYxSGZnS0h4S21ablBueFBz
-WUtTTUduOFlPNVFZTUs0Ci0+IHhxKC1ncmVhc2UgWl9vNyA7NilCVVshWSBEcEgv
+L2JFaEhaYWR5VFFNQzhVCi0+IHNzaC1lZDI1NTE5IFpEOGxNdyBDZGNmblJIWGtx
-RGBpIGgmWAoxVjVrRHVndzI4MmJhN3EwQVEKLS0tIFJabHFPdmtseWhyaTBjV1o0
+QWhEeldzVGZmUWJ6anM4Y2hTT0tpUVNpNDVyRDJRQ240Clk2bmpCVlI4RWduRS80
-Zm1LVEJZY0F0NFJuZUk0anhGdTRkVlFOMmcKRtPfpCjUf05Jnow5FU3OvZc3FLGm
+cVRVWWwycDdtdVpFS25BSDAzOEh5YUcxdW9GclkKLT4gc3NoLWVkMjU1MTkgZjVU
-R462mLJoaBg4qhPr7+kxYRrGy2T0yoZLdglOJV4rHwvYWpNglY1o2Jo+I/mG1yAd
+aEFnIDZBbXVIQVdoaVl6TlZXR1FmeEtwL0hBNWc4c0lvSFlQTzZVc1VJZ09PMXcK
-F+afAb9mQVYreWyQuj7t71Vm1VUdQrsG85lFxdbLbS7ZzITCOrjejgoj6wMPwAgl
+VnhFVVg4eTZiRU1YbUhxUzJrYXRUeWpVVFdOSWpUNHNvUWZCRXd1U3Y3VQotPiBB
-iPHgOccOAPoiDQTSOdGEm3H4k8we/HSfpW7cPowwExtQCK7PSs30XeJsg4o=
+IW9WfGMlLWdyZWFzZQo2WmhadWt6cFZ3S2FONDFIWUFPWWpMOXFRT1d2alNPajVI
+aUJrdmVVT1J1OHA3Uy9LMjdadSs4RnhldGNxWGNtCitJSHhKSlhnMzI0UDdtSFBX
+T0tuY0NvRkI5Q0F6YkJmSHI3aFlReHJORVNLL1RJMkI5QUt5NllmcGcKLS0tIGFQ
+YXpDdDhnR05PaGQ0WEdVd2hMUURnRmtnbDVvWkt0ZDNtaVhxT0ZIbFUKcYbxjmgx
+v7X82tsU3fuTUo9l2q3HmHECwKlvyqsXyyJst+/jJgANfE7/tHm0t6Dm4fPgBvdN
+0AqTDx1p7PLvfQhMuhD2G9mHGLwcom3xUOI8h6JkMCv+bojWD9RCEB+wsAwfCzVV
+pStMrMl6copsy1/E4yXkkm+kBgIMFeGzQvRyZ+UCri0rjzsGFQWEgUgD3fFcNJIq
+HCYi0uW970YK2qI=
 -----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -11,8 +11,10 @@ let
   users = [fiscalvelvetpoet];
 
   flemming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK16f3Fjj0BY9vjtXahezMAP3I329hHEQXCceRTkr+Yu";
+  hollows = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGB8EUbqoarM4GmPgE2DBF4z/L6wVNc+lF27Z83XDUz";
+  pred = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMK5BOK1ldtZ+SV4QxfNm/PfOLOWv3/VHf/JbdMMoMzw";
   toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE";
-  systems = [flemming toscano];
+  systems = [flemming hollows pred toscano];
 in {
   "root.age".publicKeys = ops ++ systems;
   "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;

shell.nix

@@ -4,6 +4,7 @@
   alejandra,
   mkShell,
   colmena,
+  nix,
 }:
 with pkgs;
   mkShell {