diff --git a/.sops.yaml b/.sops.yaml
index 5c1d8c7..c195485 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,12 +1,8 @@
 keys:
   - &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
   - &server_phobos age16twzd97nh7tstk5meh277w02le6dxqmv7wzrjlemn87n36dzlyfq7uusj2
+  - &server_thebe age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24
 creation_rules:
-  - path_regex: phobos/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - age:
-      - *admin_jrpotter
-      - *server_phobos
   - path_regex: .*
     key_groups:
     - age:
diff --git a/README.md b/README.md
index a3cdae1..561e5ce 100644
--- a/README.md
+++ b/README.md
@@ -83,5 +83,9 @@ To do so, run:
 $ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'
 ```
 This will look for any SSH host ed25519 public keys and automatically run
-through `ssh-to-age`. Include an appropriately top-level `keys` entry in
-`.sops.yaml` before generating the secrets needed by the machine.
+through `ssh-to-age`. Include a new top-level `keys` entry in `.sops.yaml` so
+that newly created secrets file automatically apply the age keys. For existing
+secret files, rotate and add the new age key to them:
+```bash
+$ sops --in-place --rotate --add-age <value> <secrets-file>
+```
diff --git a/flake.nix b/flake.nix
index 4ab9956..43c8d72 100644
--- a/flake.nix
+++ b/flake.nix
@@ -47,7 +47,7 @@
               inherit (tapir) sops-nix;
             };
             thebe = {
-              inherit (tapir);
+              inherit (tapir) sops-nix;
             };
           };
         };
diff --git a/hive/thebe/default.nix b/hive/thebe/default.nix
index 10c8f76..9334749 100644
--- a/hive/thebe/default.nix
+++ b/hive/thebe/default.nix
@@ -1,7 +1,9 @@
-{ lib, ... }:
+{ sops-nix, lib, ... }:
 {
   imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
+    sops-nix.nixosModules.sops
     ../../digital-ocean/configuration.nix
+    ../../services/plausible
   ];
 
   deployment.targetHost = "64.23.168.148";
@@ -19,6 +21,8 @@
   services = {
     nginx.enable = true;
     openssh.enable = true;
+    plausible.enable = true;
+    postgresql.enable = true;
   };
 
   security.acme = {
diff --git a/services/plausible/default.nix b/services/plausible/default.nix
new file mode 100644
index 0000000..badf5ff
--- /dev/null
+++ b/services/plausible/default.nix
@@ -0,0 +1,34 @@
+{ config, ... }:
+{
+  services = {
+    plausible = {
+      adminUser = {
+        # activate is used to skip the email verification of the admin-user
+        # that's automatically created by plausible. This is only supported if
+        # postgresql is configured by the module. This is done by default, but
+        # can be turned off with services.plausible.database.postgres.setup.
+        activate = true;
+        email = "jrpotter2112@gmail.com";
+        passwordFile = "/run/secrets/PLAUSIBLE_ADMIN_PWD";
+      };
+      server = {
+        baseUrl = "http://analytics.jrpotter.com";
+        secretKeybaseFile = "/run/secrets/PLAUSIBLE_SECRET_KEY_BASE";
+      };
+    };
+    nginx.virtualHosts."analytics.jrpotter.com" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}";
+      };
+    };
+  };
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets.PLAUSIBLE_ADMIN_PWD = {};
+    secrets.PLAUSIBLE_SECRET_KEY_BASE = {};
+  };
+}
diff --git a/services/plausible/secrets.yaml b/services/plausible/secrets.yaml
new file mode 100644
index 0000000..bb4f18c
--- /dev/null
+++ b/services/plausible/secrets.yaml
@@ -0,0 +1,31 @@
+PLAUSIBLE_ADMIN_PWD: ENC[AES256_GCM,data:bnSVaGHJG/VzWuiks8wYGdWu,iv:Xhhvqk1ThBJXz1XNYx40YfIpqcADL9SPwrLf/rje57I=,tag:fw1RujBToGTo1qFhbYEcaQ==,type:str]
+PLAUSIBLE_SECRET_KEY_BASE: ENC[AES256_GCM,data:gyncr/BiekwFFQww9aJXkiU3nTUtwpUxb3E3RYw89zInV/e6v4gGJHXG1T1SPvOsl8QRyMq6rYvHSpCGCXx0iwx/9jBUyyTw16fTTsANA6vrVrufpe3vrg==,iv:r6OSjNskgXpBqMOIPYjYziGyfiS0enFRJFI87PGwl1I=,tag:Dl/InBqKF2XTmMlKfYZk1w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDN1ZjUWpHak9sL2hPVzk3
+            RXR1NkFuMmpXUXpQTUc1TU1CZHp5ZTFrRlZJCnpLWmRTWGN5bzFLOFd3RVFHbU5H
+            dkc1UzdWcEViNEh6bGRJYTY2V2RBWXcKLS0tIExsb0FvajE2amE1YU9TbjZXTTJo
+            NzkrMlVjMkp3a1BxL01LZUhpTWZ6Y0EKOEDeya5JhwXWcj+7tloeGSKHLaFqqjQl
+            7U66quW6QX9k/DjixhNzVYlOTlkHKWguoS8OHk9qsTExGupM7HkNAw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bXh0dWlLRE9mTDV1akNv
+            bExpSmZhODJnc0h6SkZ1OHR0NkQrZXNPeHhnCndPTUdjS0Q4VXRxUEZQOUJSa3ZD
+            OWJtSXkvNmZrWWJ5ZTBiZnFmV2VlMzgKLS0tIEpBZng4VktnaG9aZDZJaXYzamcr
+            UHZrdXBWZ0I2SnArQkJ6UkhRa2xpdEEKHBNMEcQQNs3mLQE5UI21Ue52dnZlIOqZ
+            91HSVBgFP4dfrsW4+ZyxrhqADZziHSn5AfpbuhJ7QLSsjNRLHyrbgw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-10T18:27:35Z"
+    mac: ENC[AES256_GCM,data:7rsYMbTTmOPHVqoaQu78Glf4EvXRbDVvkbZYQd9fSy7JOWyKzvVC9ZD2yr0WbHoe0Gq8mpdfmcc5Q/3JIuNanqQxbvvLDqYSBQNoifeuQ9dLRhxzI2Up1mhLTHDIV3CB+7TfIMkaJ7gYkQXX9sg2P2EL9R4o0TJ8Uuee3Iq2H/s=,iv:ym9btl+HL/dX++fXTyPl0Aze6b5dyuO+gM+CuBWvagE=,tag:PBy4EvtnivzXpCdviDEaSw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3