diff --git a/.forgejo/workflows/cd.yaml b/.forgejo/workflows/cd.yaml
index 62ab5acf..8e45cbe0 100644
--- a/.forgejo/workflows/cd.yaml
+++ b/.forgejo/workflows/cd.yaml
@@ -13,12 +13,14 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Set up SSH key to access age secrets
+      - name: Set up SSH key for age secrets and SSH
         run: |
           env
           mkdir -p ~/.ssh
           echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
+          eval "$(ssh-agent -s)"
+          ssh-add ~/.ssh/id_ed25519
 
       - name: Deploy
         run: nix-shell --run 'nixops4 apply default'
diff --git a/infra/common/resource.nix b/infra/common/resource.nix
index 5e2b9fef..26b57c29 100644
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@@ -58,6 +58,8 @@ in
     users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
       # allow our panel vm access to the test machines
       keys.panel
+      # allow continuous deployment access
+      keys.cd
     ];
 
   };