diff --git a/machines/dev/fedi203/woodpecker.nix b/machines/dev/fedi203/woodpecker.nix
index 5736642f..ba5ff772 100644
--- a/machines/dev/fedi203/woodpecker.nix
+++ b/machines/dev/fedi203/woodpecker.nix
@@ -10,6 +10,29 @@
     defaults.email = "something@fediversity.eu";
   };
 
+  age.secrets = {
+    woodpecker-gitea-client = {
+      owner = "woodpecker-server";
+      group = "woodpecker-server";
+      mode = "440";
+    };
+    woodpecker-gitea-secret = {
+      owner = "woodpecker-server";
+      group = "woodpecker-server";
+      mode = "440";
+    };
+    woodpecker-agent-exec = {
+      owner = "woodpecker-agent-exec";
+      group = "woodpecker-agent-exec";
+      mode = "440";
+    };
+    woodpecker-agent-container = {
+      owner = "woodpecker-agent-docker";
+      group = "woodpecker-agent-docker";
+      mode = "440";
+    };
+  };
+
   # needs `sudo generate-vars`
   vars.settings.on-machine.enable = true;