diff --git a/deployment/check/common/deployerNode.nix b/deployment/check/common/deployerNode.nix
index bbaf9c70..eca4eb25 100644
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@@ -60,6 +60,7 @@ in
         inputs.nixops4-nixos
         inputs.nixpkgs
 
+        sources.nixpkgs
         sources.flake-inputs
         sources.vars
 
diff --git a/deployment/check/panel/nixosTest.nix b/deployment/check/panel/nixosTest.nix
index ebd4d0a8..aea71dd9 100644
--- a/deployment/check/panel/nixosTest.nix
+++ b/deployment/check/panel/nixosTest.nix
@@ -246,7 +246,7 @@ in
   nodes.mastodon.virtualisation.memorySize = 4 * 1024;
   nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
   nodes.peertube.virtualisation.memorySize = 5 * 1024;
-  nodes.attic.virtualisation.memorySize = 2 * 1024;
+  nodes.attic.virtualisation.memorySize = 4 * 1024;
 
   ## FIXME: The test of presence of the services are very simple: we only
   ## check that there is a systemd service of the expected name on the
diff --git a/infra/common/resource.nix b/infra/common/resource.nix
index fc812be4..7fc2bba5 100644
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@@ -32,7 +32,7 @@ in
   ## options that really need to be injected from the resource. Everything else
   ## should go into the `./nixos` subdirectory.
   nixos.module = {
-    imports = [
+    imports = with sources; [
       "${agenix}/modules/age.nix"
       "${disko}/module.nix"
       "${vars}/options.nix"
diff --git a/npins/sources.json b/npins/sources.json
index 50a4242c..9e5d1e72 100644
--- a/npins/sources.json
+++ b/npins/sources.json
@@ -125,19 +125,6 @@
       "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
       "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
     },
-    "nix-templating": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "KiaraGrouwstra",
-        "repo": "nix-templating"
-      },
-      "branch": "lib-default-arg",
-      "submodules": false,
-      "revision": "e1ff247d508b4efd057a4d6bb13cf45b62c2512f",
-      "url": "https://github.com/KiaraGrouwstra/nix-templating/archive/e1ff247d508b4efd057a4d6bb13cf45b62c2512f.tar.gz",
-      "hash": "0g59h4r029jw8vlvn8da62fk9m737s80fg2qk57322iv9lkqlvp0"
-    },
     "nix-unit": {
       "type": "Git",
       "repository": {
@@ -168,14 +155,14 @@
       "type": "Git",
       "repository": {
         "type": "GitHub",
-        "owner": "lassulus",
+        "owner": "kiaragrouwstra",
         "repo": "vars"
       },
-      "branch": "main",
+      "branch": "templates",
       "submodules": false,
-      "revision": "856c18f0e7b95e262ac88ba9ddebf506a16fd4a5",
-      "url": "https://github.com/lassulus/vars/archive/856c18f0e7b95e262ac88ba9ddebf506a16fd4a5.tar.gz",
-      "hash": "095dmc67pf5idj4pgnibjbgfxpkm73px3sc6hylc9j0sqh3379q7"
+      "revision": "6ff942bf2b514edaa1022a92edb6552ac32a09d1",
+      "url": "https://github.com/kiaragrouwstra/vars/archive/6ff942bf2b514edaa1022a92edb6552ac32a09d1.tar.gz",
+      "hash": "1h1q3l1l1c1j4ak5lcj2yh85jwqww74ildiak2dkd4h1js9v6cvw"
     }
   },
   "version": 5
diff --git a/services/fediversity/attic/default.nix b/services/fediversity/attic/default.nix
index 678b0aad..2a952850 100644
--- a/services/fediversity/attic/default.nix
+++ b/services/fediversity/attic/default.nix
@@ -7,10 +7,6 @@
 let
   inherit (lib) mkIf mkMerge;
   sources = import ../../../npins;
-  inherit (import "${sources.nix-templating}/lib.nix" { inherit pkgs; })
-    fileContents
-    template_text
-    ;
 in
 {
   imports = with sources; [
@@ -80,11 +76,45 @@ in
         8080
       ];
 
+      vars.settings.on-machine.enable = true;
+      vars.generators."templates" = rec {
+        dependencies = [ "attic" ];
+        runtimeInputs = [
+          pkgs.coreutils
+          pkgs.gnused
+        ];
+        script = lib.concatStringsSep "\n" (
+          lib.mapAttrsToList (template: _: ''
+            cp "$templates/${template}" "$out/${template}"
+            echo "filling placeholders in template ${template}..."
+            ${lib.concatStringsSep "\n" (
+              lib.mapAttrsToList (
+                parent:
+                { placeholder, ... }:
+                ''
+                  sed -i "s/${placeholder}/$(cat "$in/attic/${parent}")/g" "$out/${template}"
+                  echo "- substituted ${parent}"
+                ''
+              ) config.vars.generators."attic".files
+            )}
+          '') files
+        );
+
+        files."attic.env" = {
+          secret = true;
+          template = pkgs.writeText "attic.env" ''
+            ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${config.vars.generators.attic.files.token.placeholder}
+            AWS_ACCESS_KEY_ID=$(cat ${config.fediversity.attic.s3AccessKeyFile})
+            AWS_SECRET_ACCESS_KEY=$(cat ${config.fediversity.attic.s3SecretKeyFile})
+          '';
+        };
+      };
+
       vars.generators.attic = {
         runtimeInputs = [ pkgs.openssl ];
         files.token.secret = true;
         script = ''
-          genrsa -traditional 4096 | base64 -w0 > $out/token
+          genrsa -traditional 4096 | base64 -w0 > "$out"/token
         '';
       };
 
@@ -93,17 +123,7 @@ in
         # one `monolithic` and any number of `api-server` nodes
         mode = "monolithic";
 
-        environmentFile = "${
-          template_text {
-            name = "attic.env";
-            outPath = "./attic.env";
-            text = ''
-              ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${fileContents config.vars.generators.attic.files.token.path}
-              AWS_ACCESS_KEY_ID=$(cat ${config.fediversity.attic.s3AccessKeyFile})
-              AWS_SECRET_ACCESS_KEY=$(cat ${config.fediversity.attic.s3SecretKeyFile})
-            '';
-          }
-        }/bin/attic.env";
+        environmentFile = config.vars.generators."templates".files."attic.env".path;
 
         # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
         settings = {