🥇 Phase 1: Git + Secrets

    ✅ Set up Forgejo VM (NixOS declarative)

    ✅ Set up sops-nix + age keys (can live in the Git repo)

    ✅ Push flake + ansible + secrets to Forgejo

    ✅ Write a basic README with how to rebuild infra

🥈 Phase 2: GitOps

    🔁 Add CI runner VM

    🔁 Configure runner to deploy (nixos-rebuild or ansible-playbook) on commit

    🔁 Optional: add webhooks to auto-trigger via Forgejo