diff --git a/default.nix b/default.nix
index 70c5aaf5..513dfd12 100644
--- a/default.nix
+++ b/default.nix
@@ -64,6 +64,7 @@ in
         pkgs.httpie
         pkgs.jq
         pkgs.nix-unit
+        pkgs.attic-client
         test-loop
         nixops4.packages.${system}.default
       ];
diff --git a/infra/common/nixos/default.nix b/infra/common/nixos/default.nix
index 71b08426..9d9f994d 100644
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@@ -24,6 +24,14 @@ in
     experimental-features = nix-command flakes
   '';
 
+  nix.settings = {
+    substituters = [
+      "https://attic.fediversity.net/demo"
+    ];
+    trusted-public-keys = [
+      "demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM="
+    ];
+  };
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;
diff --git a/machines/dev/forgejo-ci/forgejo-actions-runner.nix b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
index bb6928cc..4b13d854 100644
--- a/machines/dev/forgejo-ci/forgejo-actions-runner.nix
+++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
@@ -1,8 +1,20 @@
-{ pkgs, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  sources,
+  ...
+}:
 
 {
   _class = "nixos";
 
+  imports = with sources; [
+    (import "${home-manager}/nixos")
+    "${vars}/options.nix"
+    "${vars}/backends/on-machine.nix"
+  ];
+
   services.gitea-actions-runner = {
     package = pkgs.forgejo-actions-runner;
 
@@ -44,4 +56,39 @@
 
   ## For the Docker mode of the runner.
   virtualisation.docker.enable = true;
+
+  vars.settings.on-machine.enable = true;
+  vars.generators."templates" = rec {
+    dependencies = [ "attic" ];
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.gnused
+    ];
+    script = lib.concatStringsSep "\n" (
+      lib.mapAttrsToList (template: _: ''
+        cp "$templates/${template}" "$out/${template}"
+        echo "filling placeholders in template ${template}..."
+        sed -i "s/${placeholder}/$(cat "${config.age.secrets.wiki-password.path}")/g" "$out/${template}"
+      '') files
+    );
+
+    files."attic.toml" = {
+      secret = true;
+      template = pkgs.writeText "attic.toml" ''
+        default-server = "fediversity"
+
+        [servers.fediversity]
+        endpoint = "http://localhost:8080"
+        token = "${config.vars.generators.attic.files.token.placeholder}"
+      '';
+    };
+  };
+
+  home-manager = {
+    users.gitea-runner.home = {
+      stateVersion = "25.05";
+      file.".config/attic/config.toml".source =
+        config.vars.generators."templates".files."attic.toml".path;
+    };
+  };
 }
diff --git a/secrets/attic-ci-token.age b/secrets/attic-ci-token.age
new file mode 100644
index 00000000..60fafd04
Binary files /dev/null and b/secrets/attic-ci-token.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 88d1bb03..4b368f30 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -24,6 +24,7 @@ concatMapAttrs
     ## are able to decrypt them.
 
     {
+      attic-ci-token = [ forgejo-ci ];
       forgejo-database-password = [ vm02116 ];
       forgejo-email-password = [ vm02116 ];
       forgejo-runner-token = [ forgejo-ci ];