diff --git a/secret/hosts/argon.nix b/secret/hosts/argon.nix
index a58a4c1..abeec16 100644
Binary files a/secret/hosts/argon.nix and b/secret/hosts/argon.nix differ
diff --git a/secret/hosts/tanker.nix b/secret/hosts/tanker.nix
index cee26db..b504dfc 100644
Binary files a/secret/hosts/tanker.nix and b/secret/hosts/tanker.nix differ
diff --git a/system/hosts/argon.nix b/system/hosts/argon.nix
index 2ea5114..a3bb8cd 100644
--- a/system/hosts/argon.nix
+++ b/system/hosts/argon.nix
@@ -25,7 +25,7 @@ in
 
     ../nixos/chrony.nix
 
-    (import ../nixos/forgejo-runner.nix (args // { name = "argon"; tag = "ubuntu-latest-arm64"; nixTag = "arm64"; }))
+    (import ../nixos/forgejo-runner.nix (args // { inherit secret; name = "argon"; tag = "ubuntu-latest-arm64"; nixTag = "arm64"; }))
 
     ../nixos/grafana.nix
     ../nixos/loki.nix
diff --git a/system/hosts/tanker.nix b/system/hosts/tanker.nix
index 34143a3..039b1b4 100644
--- a/system/hosts/tanker.nix
+++ b/system/hosts/tanker.nix
@@ -34,7 +34,7 @@ in
     ../nixos/fedifetcher.nix
 
     ../nixos/forgejo.nix
-    (import ../nixos/forgejo-runner.nix (args // { name = "tanker"; tag = "ubuntu-latest-amd64"; nixTag = "amd64"; }))
+    (import ../nixos/forgejo-runner.nix (args // { inherit secret; name = "tanker"; tag = "ubuntu-latest-amd64"; nixTag = "amd64"; }))
 
     ../nixos/headscale.nix
 
diff --git a/system/nixos/forgejo-runner.nix b/system/nixos/forgejo-runner.nix
index 493a8ff..4ed2950 100644
--- a/system/nixos/forgejo-runner.nix
+++ b/system/nixos/forgejo-runner.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, name, tag, nixTag, ... }:
+{ pkgs, config, secret, name, tag, nixTag, ... }:
 
 # Based on: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
 
@@ -53,8 +53,14 @@ in
         cat <<NIX_CONFIG > etc/nix/nix.conf
         accept-flake-config = true
         experimental-features = nix-command flakes
+        substituters = https://attic.cache.daniel.sx/nifoc-ci?priority=1 https://nix-community.cachix.org?priority=2 https://cache.nixos.org/
+        trusted-public-keys = nifoc-ci:JpD9zqVQi8JuS7B8htPDOQZh08rhInMnGFS9RVhiuwk= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
         NIX_CONFIG
 
+        cat <<NIX_NETRC > etc/nix/netrc
+        ${secret.forgejo_runner.netrc}
+        NIX_NETRC
+
         cat <<NSSWITCH > etc/nsswitch.conf
         passwd:    files mymachines systemd
         group:     files mymachines systemd