diff --git a/.ci.sdImages.sh b/.ci.sdImages.sh
index 85cdf86..a8b5fe5 100755
--- a/.ci.sdImages.sh
+++ b/.ci.sdImages.sh
@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 
+set -a
 source /run/agenix/ci-secrets
+set +a
+
+cat ci-secrets.nix | envsubst > ci-secrets.nix.tmp
+mv ci-secrets.nix.tmp ci-secrets.nix
 
 set -eou pipefail
 
diff --git a/.ci.sh b/.ci.sh
index a8b3c5e..06978a6 100755
--- a/.ci.sh
+++ b/.ci.sh
@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 
+set -a
 source /run/agenix/ci-secrets
+set +a
+
+cat ci-secrets.nix | envsubst > ci-secrets.nix.tmp
+mv ci-secrets.nix.tmp ci-secrets.nix
 
 set -eou pipefail
 
diff --git a/ci-secrets.nix b/ci-secrets.nix
new file mode 100644
index 0000000..60265c0
--- /dev/null
+++ b/ci-secrets.nix
@@ -0,0 +1,3 @@
+{
+  wifi = "$__SECRET_wifi_secrets";
+}
diff --git a/modules/ci-runners.nix b/modules/ci-runners.nix
index 2562717..f2be486 100644
--- a/modules/ci-runners.nix
+++ b/modules/ci-runners.nix
@@ -42,6 +42,7 @@ in {
       wget
       jq
       nixos-rebuild
+      envsubst
     ];
   };
 
diff --git a/nixos/akamanto/default.nix b/nixos/akamanto/default.nix
index 59d45a2..3f580cc 100644
--- a/nixos/akamanto/default.nix
+++ b/nixos/akamanto/default.nix
@@ -1,5 +1,7 @@
 { config, pkgs, lib, inputs, ... }:
 
+let ci-secrets = import ../../ci-secrets.nix;
+in
 {
   # https://en.wikipedia.org/wiki/Aka_Manto
   networking.hostName = "akamanto";
@@ -20,8 +22,7 @@
     supportedFilesystems = lib.mkForce [ "vfat" "ext4" ];
   };
 
-  environment.etc."wifi-secrets".text =
-    builtins.getEnv "__SECRET_wifi_secrets";
+  environment.etc."wifi-secrets".text = ci-secrets.wifi;
 
   networking = {
     useDHCP = false;