diff --git a/deployment/check/common/deployerNode.nix b/deployment/check/common/deployerNode.nix
index 77762811..ae86d898 100644
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@@ -63,6 +63,7 @@ in
         sources.flake-inputs
         sources.git-hooks
         sources.vars
+        sources.nix-templating
 
         pkgs.stdenv
         pkgs.stdenvNoCC
diff --git a/npins/sources.json b/npins/sources.json
index 9e5d1e72..4fe6629f 100644
--- a/npins/sources.json
+++ b/npins/sources.json
@@ -125,6 +125,19 @@
       "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
       "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
     },
+    "nix-templating": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "KiaraGrouwstra",
+        "repo": "nix-templating"
+      },
+      "branch": "lib-default-arg",
+      "submodules": false,
+      "revision": "e1ff247d508b4efd057a4d6bb13cf45b62c2512f",
+      "url": "https://github.com/KiaraGrouwstra/nix-templating/archive/e1ff247d508b4efd057a4d6bb13cf45b62c2512f.tar.gz",
+      "hash": "0g59h4r029jw8vlvn8da62fk9m737s80fg2qk57322iv9lkqlvp0"
+    },
     "nix-unit": {
       "type": "Git",
       "repository": {
@@ -155,14 +168,14 @@
       "type": "Git",
       "repository": {
         "type": "GitHub",
-        "owner": "kiaragrouwstra",
+        "owner": "KiaraGrouwstra",
         "repo": "vars"
       },
-      "branch": "templates",
+      "branch": "rights",
       "submodules": false,
-      "revision": "6ff942bf2b514edaa1022a92edb6552ac32a09d1",
-      "url": "https://github.com/kiaragrouwstra/vars/archive/6ff942bf2b514edaa1022a92edb6552ac32a09d1.tar.gz",
-      "hash": "1h1q3l1l1c1j4ak5lcj2yh85jwqww74ildiak2dkd4h1js9v6cvw"
+      "revision": "c268638fd7afc9ba2b53c1fe925374d7cd845fa4",
+      "url": "https://github.com/KiaraGrouwstra/vars/archive/c268638fd7afc9ba2b53c1fe925374d7cd845fa4.tar.gz",
+      "hash": "07l6s66i93vp4vhwl14p8hlj1xlrdr1yac1vwklvd24jcpsj5nr7"
     }
   },
   "version": 5
diff --git a/services/fediversity/attic/default.nix b/services/fediversity/attic/default.nix
index 00030970..8a23ea76 100644
--- a/services/fediversity/attic/default.nix
+++ b/services/fediversity/attic/default.nix
@@ -7,6 +7,7 @@
 let
   inherit (lib) mkIf mkMerge;
   sources = import ../../../npins;
+  inherit (import "${sources.nix-templating}/lib.nix" { inherit pkgs; }) fileContents template_text;
 in
 {
   imports = with sources; [
@@ -99,57 +100,43 @@ in
       };
 
       vars.settings.on-machine.enable = true;
-      vars.generators."templates" = rec {
-        dependencies = [ "attic" ];
-        runtimeInputs = [
-          pkgs.coreutils
-          pkgs.gnused
-        ];
-        script = lib.concatStringsSep "\n" (
-          lib.mapAttrsToList (template: _: ''
-            cp "$templates/${template}" "$out/${template}"
-            echo "filling placeholders in template ${template}..."
-            ${lib.concatStringsSep "\n" (
-              lib.mapAttrsToList (
-                parent:
-                { placeholder, ... }:
-                ''
-                  sed -i "s/${placeholder}/$(cat "$in/attic/${parent}")/g" "$out/${template}"
-                  echo "- substituted ${parent}"
-                ''
-              ) config.vars.generators."attic".files
-            )}
-          '') files
-        );
-
-        files."attic.env" = {
-          secret = true;
-          template = pkgs.writeText "attic.env" ''
-            ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="${config.vars.generators.attic.files.token.placeholder}"
-            AWS_ACCESS_KEY_ID="$(cat ${config.fediversity.attic.s3AccessKeyFile})"
-            AWS_SECRET_ACCESS_KEY="$(cat ${config.fediversity.attic.s3SecretKeyFile})"
-          '';
-        };
-      };
 
       vars.generators.attic = {
         runtimeInputs = [
           pkgs.coreutils
           pkgs.openssl
         ];
-        files.token.secret = true;
+        files.token = {
+          secret = true;
+          owner = "atticd";
+        };
         script = ''
           openssl genrsa -traditional 4096 | base64 -w0 > "$out"/token
         '';
       };
 
+      systemd.services.atticd.serviceConfig = {
+        EnvironmentFile = lib.mkForce "-/tmp/attic.env";
+        ExecStartPre = "${
+          template_text {
+            # FIXME find a place not public
+            outPath = "/tmp/attic.env";
+            text = ''
+              ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="${fileContents config.vars.generators.attic.files.token.path}"
+              AWS_ACCESS_KEY_ID="${fileContents config.fediversity.attic.s3AccessKeyFile}"
+              AWS_SECRET_ACCESS_KEY="${fileContents config.fediversity.attic.s3SecretKeyFile}"
+            '';
+            name = "write";
+          }
+        }/bin/write";
+      };
+
       services.atticd = {
         enable = true;
+        environmentFile = "/dev/null"; # set dummy to overwrite
         # one `monolithic` and any number of `api-server` nodes
         mode = "monolithic";
 
-        environmentFile = config.vars.generators."templates".files."attic.env".path;
-
         # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
         settings = {
           # Socket address to listen on