diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
new file mode 100644
index 0000000..4b5e566
--- /dev/null
+++ b/.gitea/workflows/ci.yaml
@@ -0,0 +1,21 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+
+jobs:
+  check:
+    name: Check Nix flake
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v23
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Write agenix secrets key to file
+        env:
+          KEY: ${{ secrets.AGENIX_SECRETS_KEY }}
+        run: printf "$KEY" > .keys/ci.key
+      - name: Check flake
+        run: nix flake check
diff --git a/.keys/ci.pub b/.keys/ci.pub
new file mode 100644
index 0000000..fb324b9
--- /dev/null
+++ b/.keys/ci.pub
@@ -0,0 +1 @@
+age1ythn9runhsvwmszqfy69zetc422hug39ta4g236tue6f5qf65y0q4qg7xx
diff --git a/flake.nix b/flake.nix
index 63dcf08..d0eae9d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -157,29 +157,6 @@
       homeConfigurations = mapAttrs (_: s: s.configuration) nixfiles.config.home-manager.homes;
 
       deploy = nixfiles.config.deploy-rs.rendered;
-
-      # TODO: Modularise?
-      herculesCI =
-      let
-        system = n: self.nixosConfigurations."${n}".config.system.build.toplevel;
-        container = n: self.nixosConfigurations."${n}".config.my.buildAs.container;
-        home = n: self.homeConfigurations."${n}".activationPackage;
-      in
-      {
-        onPush = {
-          default.outputs = {
-            shell = self.devShells.x86_64-linux.default;
-          };
-          systems.outputs = {
-            colony = system "colony";
-            vms = genAttrs [ "estuary" "shill" ] system;
-            containers = genAttrs [ "jackflix" "middleman" "chatterbox" ] container;
-          };
-          homes.outputs = {
-            castle = home "dev@castle";
-          };
-        };
-      };
     } //
     (eachDefaultSystem (system:
     let
diff --git a/nixos/boxes/colony/vms/shill/default.nix b/nixos/boxes/colony/vms/shill/default.nix
index e393e1a..408ba39 100644
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@@ -49,7 +49,7 @@ in
         inherit (lib.my) networkdAssignment;
       in
       {
-        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./hercules.nix ./gitea.nix ];
+        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./gitea.nix ];
 
         config = mkMerge [
           {
diff --git a/secrets.nix b/secrets.nix
index cf3a14d..ecbf175 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -9,6 +9,7 @@ let
 
   defaultKeys = [
     (fileContents .keys/dev.pub)
+    (fileContents .keys/ci.pub)
   ];
   secretKeys =
     zipAttrsWith