diff --git a/hosts/osmium/configuration.nix b/hosts/osmium/configuration.nix
index dc437dc..592b3e2 100644
--- a/hosts/osmium/configuration.nix
+++ b/hosts/osmium/configuration.nix
@@ -5,6 +5,8 @@
     [
       ./hardware-configuration.nix
       ../../configuration/proxmox-vm
+
+      ./nixfiles-updated-inputs.nix
     ];
 
   boot.loader.grub.enable = true;
diff --git a/hosts/osmium/nixfiles-updated-inputs.nix b/hosts/osmium/nixfiles-updated-inputs.nix
new file mode 100644
index 0000000..cff6766
--- /dev/null
+++ b/hosts/osmium/nixfiles-updated-inputs.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  systemd.services.nixfiles-updated-inputs = {
+    environment = {
+      GIT_SSH_COMMAND = "ssh -o UserKnownHostsFile=${pkgs.writeText "known_hosts" "git.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHQDwfRlw6L+pkLjXDgW2BUWlY1zNEDtVhNEsClgqaL"} -i %d/nixfiles-updated-inputs-ssh";
+      # nix likes a home directory to place the cache there
+      HOME = "/var/lib/nixfiles-updated-inputs";
+    };
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.nixfiles-updated-inputs + "/bin/nixfiles-updated-inputs";
+      StateDirectory = "nixfiles-updated-inputs";
+      WorkingDirectory = "/var/lib/nixfiles-updated-inputs";
+      DynamicUser = true;
+      # this sets the correct file permissions for the ssh key because we use DynamicUser
+      LoadCredential = "nixfiles-updated-inputs-ssh:${config.age.secrets."nixfiles-updated-inputs-ssh".path}";
+    };
+    startAt = "*-*-* 03:03:00";
+  };
+}
diff --git a/hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age b/hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age
new file mode 100644
index 0000000..497a234
Binary files /dev/null and b/hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age differ
diff --git a/pkgs/nixfiles/default.nix b/pkgs/nixfiles/default.nix
index 20353ce..bab538a 100644
--- a/pkgs/nixfiles/default.nix
+++ b/pkgs/nixfiles/default.nix
@@ -1,10 +1,12 @@
 { pkgs, ... }:
 
 pkgs.writeShellApplication {
-  name = "nixfiles-updated-inputs.sh";
+  name = "nixfiles-updated-inputs";
   text = builtins.readFile ./nixfiles-updated-inputs.sh;
-  runtimeInputs = [
-    pkgs.git
+  runtimeInputs = with pkgs; [
+    git
+    nix
+    openssh
   ];
 }
 
diff --git a/pkgs/nixfiles/nixfiles-updated-inputs.sh b/pkgs/nixfiles/nixfiles-updated-inputs.sh
index b8a2806..282cef4 100755
--- a/pkgs/nixfiles/nixfiles-updated-inputs.sh
+++ b/pkgs/nixfiles/nixfiles-updated-inputs.sh
@@ -4,10 +4,15 @@ set -euo pipefail
 
 NOW="$(date --utc --iso-8601=minutes)"
 
-git fetch origin master
+git status || git clone gitea@git.clerie.de:clerie/nixfiles.git .
+echo "[!] Download changes"
+git fetch --all
 git checkout updated-inputs
-git merge -s ort -X theirs origin/master -m "Update from master ${NOW}"
+git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" merge -s ort -X theirs origin/master -m "Update from master ${NOW}"
+echo "[!] Update inputs"
 nix flake update
+echo "[!] Commit changes"
 git add flake.lock
-git commit -m "Flake update ${NOW}" || true
+git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" commit -m "Flake update ${NOW}" || true
+echo "[!] Publish"
 git push origin updated-inputs