diff --git a/infra/README.org b/infra/README.org
index d426a0d6..8029f4b0 100644
--- a/infra/README.org
+++ b/infra/README.org
@@ -1,6 +1,9 @@
 #+title: Infra
 
 This directory contains the definition of the VMs that host our infrastructure.
+
+* NixOps4
+
 Their configuration can be updated via NixOps4. Run
 
 #+begin_src sh
@@ -26,14 +29,21 @@ Then, given a deployment (eg. ~git~), run
 nixops4 apply <deployment>
 #+end_src
 
+Alternatively, to run the ~default~ deployment, run
+
+#+begin_src sh
+nixops4 apply
+#+end_src
+
 * Deployments
 
+- default :: Contains everything
 - ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions
   runners
 - ~web~ :: Machines hosting our online content, eg. the website or the wiki
 - ~other~ :: Machines without a specific purpose
 
-* Procolix machines
+* Machines
 
 These machines are hosted on the Procolix Proxmox instance, to which
 non-Procolix members of the project do not have access. They host our stable
diff --git a/keys/README.md b/keys/README.md
new file mode 100644
index 00000000..707b8088
--- /dev/null
+++ b/keys/README.md
@@ -0,0 +1,32 @@
+# Keys
+
+This directory contains the SSH public keys of both contributors to the projects
+and systems that we administrate. Keys are used both for [secrets](../secrets)
+decryption and [infra](../infra) management.
+
+Which private keys can be used to decrypt secrets is defined in
+[`secrets.nix`](../secrets/secrets.nix) as _all the contributors_ as well as the
+specific systems that need access to the secret in question. Adding a
+contributor of system's key to a secret requires rekeying the secret, which can
+only be done by some key that had already access to it. (Alternatively, one can
+overwrite a secret without knowing its contents.)
+
+In infra management, the systems' keys are used for security reasons; they
+identify the machine that we are talking to. The contributor keys are used to
+give access to the `root` user on these machines, which allows, among other
+things, to deploy their configurations with NixOps4.
+
+## Adding a contributor
+
+Adding a contributor consists of three steps:
+
+1. The contributor in question adds a file with their key to the
+   `./contributors` directory, and opens a pull request with it.
+
+2. An already-existing contributor rekeys the secrets, taking that new key into
+   account. See [../secrets#adding-a-contributor].
+
+3. An already-existing contributor redeploys the infrastructure to take into
+   account the new access. See [../infra].
+
+4. The pull request is accepted and merged.
diff --git a/keys/contributors/kiara b/keys/contributors/kiara
new file mode 100644
index 00000000..f6058c95
--- /dev/null
+++ b/keys/contributors/kiara
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHTIqF4CAylSxKPiSo5JOPuocn0y2z38wOSsQ1MUaZ2 kiara@procolix.eu
diff --git a/secrets/README.md b/secrets/README.md
index 08b135e8..a80ef16d 100644
--- a/secrets/README.md
+++ b/secrets/README.md
@@ -49,3 +49,8 @@ As an example, let us add a secret in a file “cheeses” whose content should
    service that you are using must be able to read from a file at runtime, and
    if the NixOS default module options do not provide that, you must find a way
    around it.
+
+### Adding a contributor
+
+See [../keys]. Rekeying can be done by running `agenix --rekey` (or `-r` for
+short) in the current directory. This requires access to the secrets.
diff --git a/secrets/forgejo-database-password.age b/secrets/forgejo-database-password.age
index d65d4bcb..2828eff5 100644
--- a/secrets/forgejo-database-password.age
+++ b/secrets/forgejo-database-password.age
@@ -1,9 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 ofQnlg wo0Yxrm+saKiGo4Woo8A+I6fXyLV0OfguJsrRPCc7Ds
-tHJU5jzLj8qFrYzPOdECBC7ugbryxWvF2Lp4lPN7Tyw
--> ssh-ed25519 1MUEqQ jYC4xvbi/9g9yUppVgCcBP6X3WiaqUpBxvmGqezntkk
-jCZxTWxN35Tcc8HLmlWyL+7V48fXBriD+yF35kIMTlk
--> ssh-ed25519 Fa25Dw O7SPXB23UF0uYlkgDNWP9rUHVJAA8RwFqhyPU38Nk1s
-BRemDl0+rszCOQw4G1GYVpxbhb0gMq5pxyguKjncXCk
---- n4IPbDBJwmEGQTlsYxRQSI+9Db14zAd3ji2X248XbsI
-��\۵���Z��:���Y8`���5Ö��`���͕=䨄A��
\ No newline at end of file
+-> ssh-ed25519 ofQnlg G6Wg5L2ohyZZ9NnCAQ03ycAbP7HBa6/wGjNCsNF8nR0
+OCh5tR7JSEZUAd4oDqNlKUznNus/EZrLTjzCNpFfSTM
+-> ssh-ed25519 COspvA Qbs9EvqDbPzMB3ciM9e37gXaCp2OAQ/rG6LzMhdBkwE
+/eBnkgGBhuweXzd2aw1XXoaHc8JbXLrqMqcY8CAqDr4
+-> ssh-ed25519 1MUEqQ jacwM4dAbNezkeMY9FzmGlXtTneLoMUFJtfm6dyNsVA
+AodDTXYSkPoxS807xw+l0WbO9dMau9xp2Y9h0Ir6o8s
+-> ssh-ed25519 Fa25Dw quSJ54tQOBBNtnkc/4dxH1z7SfIfJsr+9iORnT4XXmg
+q//oLKS+eRHwraOEDayxrnLmUJ1Zfahr/ZXvuqYvtzc
+--- NLwY5C6WKTUSVYbmeSUJE1SiM19/rDb3pqMrVUx/l0c
+�t�
+�Z��:�+p�a���l�����1z�
+�-y)nZ5����h�
\ No newline at end of file
diff --git a/secrets/forgejo-email-password.age b/secrets/forgejo-email-password.age
index 44207c9e..926a0389 100644
--- a/secrets/forgejo-email-password.age
+++ b/secrets/forgejo-email-password.age
@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ofQnlg prrfNlkyvRBGfJuBx54mKbwAfHL8t6Y+uLmt3jGEvHs
-Sg8zLilpIGA4nq2bQToGgYeGP2sLCeqzKuGF2YzuXdM
--> ssh-ed25519 1MUEqQ daSO/J5Bw59xVlAYcsyIixqsZIolBIUAca9MmhXZoCI
-vjzpcxlKWk3VG2N6MayegZ8sF/2SmJVGBSSef8zAtR8
--> ssh-ed25519 Fa25Dw GsQSZx3mY6RBdZBzYZnn+s4og7/HgXPDAamNh80VNxQ
-1jh4jyVVunbrUfwGduwz7drINatxYG8VWXC1nG2WnG4
---- KMa4vGnd/X4pkboVfhkCeheagMC/T7e1RlqeF/tCheE
-�c��uH�>�h5�M!��fK���xr�u*@Ė&��ďO�
��s4��\w
\ No newline at end of file
+-> ssh-ed25519 ofQnlg dmH3/gWbrhiYDSEzfEvwto/7ULietn9DHs7bqNRLuDE
+na8BTt4OCwwwJb/NNkUU1NWZKzsMyW84REcaz0bEX7c
+-> ssh-ed25519 COspvA bk/ixd0gon+sxmhW+OBGY9sRaCVOZ267TELGFkkuUxs
+Y+XnlUVETv4fqA5uGd3VaHIs4mAJQQw+xmGweWPOP70
+-> ssh-ed25519 1MUEqQ /mf6QgPlFqYGdQJHJbe2TEIusTxw0ftsemWst07nW3I
+SLzAtO31Evm/mOheVhMmV6QKoaNG0KYnIUaeThrp3CU
+-> ssh-ed25519 Fa25Dw HzNVxKLwujLVxs37JczAImZwE3CsSVbBbN7yCvvvQQU
+yHh5wFtGdHgCZsuY70VVCeW+q3Tj3pJKclkVFXKZiPU
+--- bi4B3ePG1HS3N5Y3civ4tvTZTk5dERKu4+LJwsN7Los
+�%���;"�q1v}����:i��]��jA0
.�
e�ǰq��9���
\ No newline at end of file
diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age
index d00836c2..b6e0d82c 100644
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ofQnlg zcQ+yhPezo8dh1pwIadOcRCQGFb8B0tHp2zBH/cFpi0
-xGlfqN9MQQYn6u8hWtTgVO0ObGoXVybnRMUf5y/DdjQ
--> ssh-ed25519 1MUEqQ bn5IoZMZzs6FFeHu1c3deHnWEXUmkbcGBu+i5gsyKTE
-FeK8Cd/vbZpe2inZDFNofdcFxbMcs/wntxjwcu0+tE0
--> ssh-ed25519 rJoYaw DCOdl91tl1Y+5LXTaiaHYY+VJsRoGYnId0MElsn4uGA
-4SDCll3OAeqTtMo5uCK7njUiybqUPv+Lk9qqsgWOV6Q
---- Y79OpvgT6uv5Eg1SJqtz0k0FduXuJf5wbTdeDXEvMWs
-4k��n�WO��%{QXgNūP��I�s��<wJ�*���n�Cu�C�W'ܼ�����L�	�ɨ�su����ɹ�y�/
\ No newline at end of file
+-> ssh-ed25519 ofQnlg 42Tz44DFTDA7OdAqynPLKsAYJctXivj3wWkkIwYTInM
+pQ5rW2TH4IK/kjcLNOmkLgKMAuD/yzw9nOZn2NZNOv8
+-> ssh-ed25519 COspvA iYtbO/GMmP2g+82xxPrvDsye2p+FpqGpG1a+Fr1jql0
+LYTL9v1c5UcikMIN2ivCLzzAtlKaY7z3PVJW/8OxrLM
+-> ssh-ed25519 1MUEqQ 2JWKsR0gWXjustfZtj5Zg6aEflw+tMJ+Ii0k1FtdKVQ
+lo534OLXItxUMRN/hZ351PLTYVYC9KjXJ8WrlqP4XVM
+-> ssh-ed25519 rJoYaw ePSTkrq9Nxk9kzAZR0O6P2KU8WZ40+/X7gI587WqRhk
+pQC9YAZdnKIyZ6ueN9iM+iAL9fkt0Dzo9WGfhTRABG4
+--- CWPCtLLBJ+OYjuocYoSgOd0r7/nUIewTeMWbQx8MHXQ
+>";��c�LSm�{Ҟ�/�H�*"�ߴ.r͐bVo+WZO^��~��ɋ�w]1h=����Hڭ�S��t�К,Erg���n
\ No newline at end of file
diff --git a/secrets/wiki-basicauth-htpasswd.age b/secrets/wiki-basicauth-htpasswd.age
index e744f5a2..bc8f24c1 100644
--- a/secrets/wiki-basicauth-htpasswd.age
+++ b/secrets/wiki-basicauth-htpasswd.age
@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ofQnlg hHpU+STQq9dp0WbcT9xvNV1Ev2ePnTafL+n5meqsrCI
-azxpqTlOHwAyys2vggKZMwoW0p7KvyHWEmpT2JT31aI
--> ssh-ed25519 1MUEqQ eP4gkEEbnb/uAJF7AfOMYsNriR5xWNIHhB7Qz6y77VY
-6OF56XdugUnuLeyuaRbadHfQZx3YqMV51lkbUmkHeCA
--> ssh-ed25519 dgBsjw YVBXOkkr5Mcjk4wVEJi0/20vmcT5baDp8NpfMxlgFFo
-+LZp7R7zKaM/G9pOsy14Es+DRold2mDekOw4NodOgnA
---- +ihHVdjEVvkoiH7dLKkZ5y1fmUs5CNsjxFvSUb3Z0gM
-`f'�\�=�Tpp/j�����ZV���~ӽ#���=!�O�*���5(f��.���
d�ڹ�ƴ��N=oP�y�.f�x��ڌ��'%����r~�.@��
\ No newline at end of file
+-> ssh-ed25519 ofQnlg /QZHjQ6K2LrdYy62eg8gnAdavrzDccR/iLlGr5wSrBo
+15uXcdLt4TjPvYFCKmTnQ/iiNtB7NhEYo4dfIRSe7o0
+-> ssh-ed25519 COspvA BAd2Tm1HCkBEMnUsTK/yShK/yWeKjGvXnQ0kq3/ockc
+PSMOXVdrJ+2wm7Yu/aY1drR1q9mN/bRkJVVy32Or1Jg
+-> ssh-ed25519 1MUEqQ wN0GUypdmU8+tM3nrNlr5ljtLKR3Li/vGsFIPa9hznA
+TBV3WXW7FesaYHzI7oe8j1uUAq7VwK0QabL3pnwwUFM
+-> ssh-ed25519 dgBsjw /fT6/NmACig4Rv9QPttrTn5p/ptifT5WeJ3+DyxRHUk
+oUGvejnhu+c6+ta30APDvXHH2+XrZpqk2SmwTf3StvA
+--- UBiWukQgMUU3OG2VTcM32qlf90kE4ipqBaucGUZSZiw
+���X���I���L���g~kCz^	T}�VV���>E�#UҿB
*��C�D���ݴkQ���^%E���Ll��T�n�z�h�n�FJ�鉊�q
\ No newline at end of file
diff --git a/secrets/wiki-password.age b/secrets/wiki-password.age
index a684de3a..6aa1d39c 100644
--- a/secrets/wiki-password.age
+++ b/secrets/wiki-password.age
@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ofQnlg q8Y0C7n4sd7hdZLl1YWBezW60syE8QpEqWIZP0Qv7FA
-fwKB4/lrbx+M9lluVNQAJcC2ZHHkNPkeJD9OI/GgceI
--> ssh-ed25519 1MUEqQ U1zOZ6q9M4XzMdioD0RdwZ9K6czaaK4+LR7uTnBSmH0
-HKypw83VUR9wSJA2BfO7XR10vQnOZkttaL86DcOwwrg
--> ssh-ed25519 dgBsjw 8mrgKvzJOWKYfmF/L4m9R6hKuL49HO8kKPvz8YJsjyc
-dRcj6g247Oh3dmEnNtN7Rjx2qbbcxT+nWtEu5Rmnkj8
---- HzehAstQl9boOJdx1IDvzUw0xXzFFbPlORmxMtHSd9Y
-��d��H����
-f����C�IM�ŏ��U;�R�/D�-ݯ�s~�"�T��&���]�
\ No newline at end of file
+-> ssh-ed25519 ofQnlg fc4Kx1F73+x5k20ZAr+nwJ2//MKSbW0XrPwidaw3O34
+/sVyDyaHqBqWgB4aEBYCB9n0cVzEWUTdgqKvM4aAzJ8
+-> ssh-ed25519 COspvA pfbE6BX+5WeYtuCfL1kRdnD3tVOV33fEJR4G0EndGBA
+ssywMgaFasyglxpIMjn9xxQViV5srAz8qS7t3aIJjnM
+-> ssh-ed25519 1MUEqQ sqw/QOSTfTBzC2YOEDLzkB51VnGPZcz9JX5JYZ+/hjg
+p2pa5eakbFbNDhOfDZaXvb69ACh/F/2lFDTUQc4WlZ4
+-> ssh-ed25519 dgBsjw QaKOQLbsEpD71x7Hk3ZoZV3/xgxv4+jG1wWiKmrhOik
+wyJP3apJB9jBcAOMK0D72lD7FqCkBEuwX0UyCvqOUJc
+--- J/CTHVy20+V7iS/R0LeeUNzIxE6dU3lnVWAFHyEjbE8
+^TG���U�9��)	]6�n��<C���|�If��1�*9�&MJS�=
	T��X�Kol{I
\ No newline at end of file
diff --git a/secrets/wiki-smtp-password.age b/secrets/wiki-smtp-password.age
index c4b76f1d..63123ab6 100644
Binary files a/secrets/wiki-smtp-password.age and b/secrets/wiki-smtp-password.age differ