diff --git a/common/nginx.nix b/common/nginx.nix
index a5a91c6..10e498d 100644
--- a/common/nginx.nix
+++ b/common/nginx.nix
@@ -2,8 +2,6 @@
 
 {
   services.nginx = {
-    enable = true;
-
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
@@ -28,6 +26,4 @@
     acceptTerms = true;
     defaults.email = "accounts@katherina.rocks"; # TODO: replace with more appropriate email
   };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
\ No newline at end of file
diff --git a/common/users/default.nix b/common/users/default.nix
new file mode 100644
index 0000000..9602472
--- /dev/null
+++ b/common/users/default.nix
@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./qenya.nix
+    ./richard.nix
+  ];
+}
\ No newline at end of file
diff --git a/users/qenya.nix b/common/users/qenya.nix
similarity index 79%
rename from users/qenya.nix
rename to common/users/qenya.nix
index 0dadb30..74062f7 100644
--- a/users/qenya.nix
+++ b/common/users/qenya.nix
@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:
 
+let keys = import ../../keys.nix;
+in
 {
   users.users.qenya = {
     isNormalUser = true;
@@ -9,9 +11,7 @@
       "networkmanager" # UI wifi configuration
       "dialout" # access to serial ports
     ];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru"
-    ];
+    openssh.authorizedKeys.keys = keys.users.qenya;
     uid = 1001;
   };
 
diff --git a/common/users/richard.nix b/common/users/richard.nix
new file mode 100644
index 0000000..f910d93
--- /dev/null
+++ b/common/users/richard.nix
@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+let keys = import ../../keys.nix;
+in
+{
+  users.users.richard = {
+    isNormalUser = true;
+    home = "/home/richard";
+    openssh.authorizedKeys.keys = keys.users.richard;
+    uid = 1002;
+  };
+}
diff --git a/hive.nix b/hive.nix
index 5fa0e76..e930b29 100644
--- a/hive.nix
+++ b/hive.nix
@@ -24,10 +24,11 @@ in {
       (import "${sources.home-manager}/nixos")
       (import "${sources.agenix}/modules/age.nix")
       ./pinning.nix
+      ./common/nginx.nix
       ./common/ssh.nix
       ./common/sudo.nix
       ./common/utilities.nix
-      ./users/qenya.nix
+      ./common/users
     ];
   };
 
diff --git a/hosts/yevaud/forgejo.nix b/hosts/yevaud/forgejo.nix
index 410c1d2..7c8f1ba 100644
--- a/hosts/yevaud/forgejo.nix
+++ b/hosts/yevaud/forgejo.nix
@@ -1,46 +1,49 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports = [
-    ../../common/nginx.nix
-  ];
-
   # TODO: email out
   # TODO: interface customisation
 
-  services.nginx.virtualHosts = {
-    "git.qenya.tel" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".proxyPass = "http://[::1]:3000/";
+  services = {
+    nginx = {
+      enable = true;
+      virtualHosts = {
+        "git.qenya.tel" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".proxyPass = "http://[::1]:3000/";
+        };
+        "git.katherina.rocks" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".return = "301 https://git.qenya.tel$request_uri";
+        };
+      };
     };
-    "git.katherina.rocks" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".return = "301 https://git.qenya.tel$request_uri";
+
+    forgejo = {
+      enable = true;
+      stateDir = "/data/forgejo";
+      settings = {
+        DEFAULT.APP_NAME = "git.qenya.tel";
+        cache = {
+          ADAPTER = "twoqueue";
+          HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}'';
+        };
+        database = {
+          DB_TYPE = "sqlite3";
+          SQLITE_JOURNAL_MODE = "WAL";
+        };
+        security.LOGIN_REMEMBER_DAYS = 365;
+        server = {
+          DOMAIN = "git.qenya.tel";
+          HTTP_PORT = 3000;
+          ROOT_URL = "https://git.qenya.tel/";
+        };
+        service.DISABLE_REGISTRATION = true;
+      };
     };
   };
 
-  services.forgejo = {
-    enable = true;
-    stateDir = "/data/forgejo";
-    settings = {
-      DEFAULT.APP_NAME = "git.qenya.tel";
-      cache = {
-        ADAPTER = "twoqueue";
-        HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}'';
-      };
-      database = {
-        DB_TYPE = "sqlite3";
-        SQLITE_JOURNAL_MODE = "WAL";
-      };
-      security.LOGIN_REMEMBER_DAYS = 365;
-      server = {
-        DOMAIN = "git.qenya.tel";
-        HTTP_PORT = 3000;
-        ROOT_URL = "https://git.qenya.tel/";
-      };
-      service.DISABLE_REGISTRATION = true;
-    };
-  };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
diff --git a/keys.nix b/keys.nix
new file mode 100644
index 0000000..7573baf
--- /dev/null
+++ b/keys.nix
@@ -0,0 +1,16 @@
+{
+  machines = {
+    tohru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru";
+    yevaud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud";
+    orm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm";
+  };
+
+  users = {
+    qenya = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru"
+    ];
+    richard = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHAuYWPfYVKdjBY/gBMt2n11Seb+hMqjui1PQ6C4ph8i richard@tress"
+    ];
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a4a270a..c41523b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,6 +1,4 @@
 let
-  tohru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru";
-  yevaud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud";
-  systems = [ tohru yevaud ];
+  keys = ../ssh-keys.nix;
 in
 { }