diff --git a/machines/dev/fedi203/woodpecker.nix b/machines/dev/fedi203/woodpecker.nix
index dc61e725..33d8d6c3 100644
--- a/machines/dev/fedi203/woodpecker.nix
+++ b/machines/dev/fedi203/woodpecker.nix
@@ -10,6 +10,20 @@
     defaults.email = "something@fediversity.eu";
   };
 
+  age.secrets =
+    lib.mapAttrs
+      (_: group: {
+        owner = "root";
+        inherit group;
+        mode = "440";
+      })
+      {
+        woodpecker-gitea-client = "woodpecker-server";
+        woodpecker-gitea-secret = "woodpecker-server";
+        woodpecker-agent-exec = "woodpecker-agent-exec";
+        woodpecker-agent-container = "woodpecker-agent-docker";
+      };
+
   # needs `sudo generate-vars`
   vars.settings.on-machine.enable = true;