diff --git a/infra/forgejo-ci/flake-part.nix b/infra/forgejo-ci/flake-part.nix
index 4efed0f0..2c6b72b8 100644
--- a/infra/forgejo-ci/flake-part.nix
+++ b/infra/forgejo-ci/flake-part.nix
@@ -1,5 +1,20 @@
-{ inputs, ... }:
+{ lib, inputs, ... }:
 
+## NOTE: Hackish solution mostly taken from `../common/resource.nix`.
+## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code
+## should be integrated with the code for other machines (in particular VMs).
+
+let
+  inherit (lib) attrValues elem;
+  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
+  inherit (lib.strings) removeSuffix;
+
+  secretsPrefix = ../../secrets;
+  secrets = import (secretsPrefix + "/secrets.nix");
+  keys = import ../../keys;
+  hostPublicKey = keys.systems.forgejo-ci;
+
+in
 {
   nixops4Deployments.forgejo-ci =
     { providers, ... }:
@@ -12,12 +27,27 @@
 
         ssh = {
           host = "45.142.234.216";
-          opts = "-J orianne";
-          hostPublicKey = (import ../../keys).systems.forgejo-ci;
+          opts = "-J orianne"; # FIXME
+          hostPublicKey = hostPublicKey;
         };
 
         nixpkgs = inputs.nixpkgs;
-        nixos.module = import ./configuration.nix;
+
+        nixos.module = {
+          imports = [
+            inputs.agenix.nixosModules.default
+            ./configuration.nix
+          ];
+
+          age.secrets = concatMapAttrs (
+            name: secret:
+            optionalAttrs (elem hostPublicKey secret.publicKeys) ({
+              ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+            })
+          ) secrets;
+
+          users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+        };
       };
     };
 }