diff --git a/machines/dev/forgejo-ci/forgejo-actions-runner.nix b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
index 4b13d854..33ad9692 100644
--- a/machines/dev/forgejo-ci/forgejo-actions-runner.nix
+++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
@@ -2,15 +2,19 @@
   lib,
   pkgs,
   config,
-  sources,
   ...
 }:
+let
+  sources = import ../../../npins;
+  user = "gitea-runner";
+  hm_strings = import "${sources.home-manager}/modules/lib/strings.nix" { inherit lib; };
+in
 
 {
   _class = "nixos";
 
   imports = with sources; [
-    (import "${home-manager}/nixos")
+    "${home-manager}/nixos"
     "${vars}/options.nix"
     "${vars}/backends/on-machine.nix"
   ];
@@ -58,6 +62,13 @@
   virtualisation.docker.enable = true;
 
   vars.settings.on-machine.enable = true;
+  vars.generators."attic" = {
+    runtimeInputs = [ pkgs.coreutils ];
+    files."token".secret = true;
+    script = ''
+      cp "${config.age.secrets.attic-ci-token.path}" "$out/${"token"}"
+    '';
+  };
   vars.generators."templates" = rec {
     dependencies = [ "attic" ];
     runtimeInputs = [
@@ -68,12 +79,15 @@
       lib.mapAttrsToList (template: _: ''
         cp "$templates/${template}" "$out/${template}"
         echo "filling placeholders in template ${template}..."
-        sed -i "s/${placeholder}/$(cat "${config.age.secrets.wiki-password.path}")/g" "$out/${template}"
+        sed -i "s/${config.vars.generators."attic".files."token".placeholder}/$(cat "${
+          config.vars.generators."attic".files."token".path
+        }")/g" "$out/${template}"
       '') files
     );
 
     files."attic.toml" = {
       secret = true;
+      owner = user;
       template = pkgs.writeText "attic.toml" ''
         default-server = "fediversity"
 
@@ -84,11 +98,18 @@
     };
   };
 
+  # needed to place a config file with home-manager
+  users.users.${user}.isNormalUser = true;
+
   home-manager = {
-    users.gitea-runner.home = {
+    users.${user}.home = {
       stateVersion = "25.05";
       file.".config/attic/config.toml".source =
-        config.vars.generators."templates".files."attic.toml".path;
+        let
+          pathStr = config.vars.generators."templates".files."attic.toml".path;
+          name = hm_strings.storeFileName (baseNameOf pathStr);
+        in
+        pkgs.runCommandLocal name { } ''ln -s ${lib.escapeShellArg pathStr} $out'';
     };
   };
 }
diff --git a/npins/sources.json b/npins/sources.json
index 9e5d1e72..6b87338c 100644
--- a/npins/sources.json
+++ b/npins/sources.json
@@ -160,9 +160,9 @@
       },
       "branch": "templates",
       "submodules": false,
-      "revision": "6ff942bf2b514edaa1022a92edb6552ac32a09d1",
-      "url": "https://github.com/kiaragrouwstra/vars/archive/6ff942bf2b514edaa1022a92edb6552ac32a09d1.tar.gz",
-      "hash": "1h1q3l1l1c1j4ak5lcj2yh85jwqww74ildiak2dkd4h1js9v6cvw"
+      "revision": "2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b",
+      "url": "https://github.com/kiaragrouwstra/vars/archive/2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b.tar.gz",
+      "hash": "0rpxh85fizmmh7v2qvhp9jzrvcyv1yhl58zd1dk0hx33s77da84x"
     }
   },
   "version": 5