diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..648fc02
--- /dev/null
+++ b/.envrc
@@ -0,0 +1,7 @@
+_gpgconv="gpg2 -d --quiet --yes --compress-algo=none --no-encrypt-to"
+if [ "$(git config diff.gpg.textconv)" != "$_gpgconv" ]; then
+    git config diff.gpg.binary true
+    git config diff.gpg.textconv "$_gpgconv"
+fi
+
+export PASSWORD_STORE_DIR=$PWD/secrets
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c4a847d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/result
diff --git a/krops.nix b/krops.nix
new file mode 100644
index 0000000..8ee432c
--- /dev/null
+++ b/krops.nix
@@ -0,0 +1,22 @@
+let
+  krops = builtins.fetchGit {
+    url = "https://cgit.krebsco.de/krops/";
+  };
+  lib = import "${krops}/lib";
+  pkgs = import "${krops}/pkgs" {};
+
+  source = lib.evalSource [
+    {
+      nixpkgs.symlink = "/root/.nix-defexpr/channels/nixos";
+      nixos-config.file = toString ./configuration.nix;
+    }
+  ];
+
+in {
+  hel1a = pkgs.krops.writeDeploy "deploy-hel1a" {
+    source = source;
+    target = lib.mkTarget "motiejus@hel1-a.jakstys.lt" // {
+      sudo = true;
+    };
+  };
+}
diff --git a/.gpg-id b/secrets/.gpg-id
similarity index 100%
rename from .gpg-id
rename to secrets/.gpg-id
diff --git a/hel1-a/zfs-passphrase.gpg b/secrets/hel1-a/zfs-passphrase.gpg
similarity index 100%
rename from hel1-a/zfs-passphrase.gpg
rename to secrets/hel1-a/zfs-passphrase.gpg
diff --git a/letsencrypt/account.key.gpg b/secrets/letsencrypt/account.key.gpg
similarity index 100%
rename from letsencrypt/account.key.gpg
rename to secrets/letsencrypt/account.key.gpg
diff --git a/sendgrid.gpg b/secrets/sendgrid.gpg
similarity index 100%
rename from sendgrid.gpg
rename to secrets/sendgrid.gpg