diff --git a/machines/dev/forgejo-ci/default.nix b/machines/dev/forgejo-ci/default.nix
index 569cbb4b..f0aa9c45 100644
--- a/machines/dev/forgejo-ci/default.nix
+++ b/machines/dev/forgejo-ci/default.nix
@@ -1,12 +1,23 @@
-{
-  lib,
-  ...
-}:
+{ lib, ... }:
+
+let
+  inherit (lib) mkDefault mkForce;
+in
+
 {
   _class = "nixops4Resource";
 
-  # XXX this needs an SSH config entry `forgejo-ci` to locate and access the machine. also needs `HostKeyAlias`.
-  ssh.host = lib.mkForce "forgejo-ci";
+  # NOTE: This needs an SSH config entry `forgejo-ci` to locate and access the
+  # machine. This is because different people access the machine in different
+  # way (eg. via a proxy vs. via Procolix's VPN). This might look like:
+  #
+  #     Host forgejo-ci
+  #          HostName 45.142.234.216
+  #          HostKeyAlias forgejo-ci
+  #
+  # The `HostKeyAlias` statement is crucial. Without it, deployment will fail
+  # with the SSH error “Host key verification failed”.
+  ssh.host = mkForce "forgejo-ci";
 
   fediversityVm = {
     domain = "procolix.com";
@@ -21,14 +32,7 @@
   };
 
   nixos.module =
-    {
-      config,
-      lib,
-      ...
-    }:
-    let
-      inherit (lib) mkDefault mkForce;
-    in
+    { config, ... }:
     {
       _class = "nixos";