diff --git a/.gitignore b/.gitignore
index 04e74dc..2a03358 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@
 !hosts/best/
 !hosts/best/garage/
 !hosts/best/nix-serve/
+!hosts/best/hercules/
 
 !hosts/cube/
 !hosts/cube/matrix/
diff --git a/hosts/best/hercules/caches.age b/hosts/best/hercules/caches.age
new file mode 100644
index 0000000..16c5547
Binary files /dev/null and b/hosts/best/hercules/caches.age differ
diff --git a/hosts/best/hercules/credentials.age b/hosts/best/hercules/credentials.age
new file mode 100644
index 0000000..08626ff
Binary files /dev/null and b/hosts/best/hercules/credentials.age differ
diff --git a/hosts/best/hercules/default.nix b/hosts/best/hercules/default.nix
new file mode 100644
index 0000000..ac85b4a
--- /dev/null
+++ b/hosts/best/hercules/default.nix
@@ -0,0 +1,35 @@
+{ config, lib, ... }: let
+  inherit (lib) enabled genAttrs;
+in {
+  secrets.awsCredentials = {
+    file  = ./credentials.age;
+    owner = "hercules-ci-agent";
+  };
+
+  secrets.herculesCaches = {
+    file  = ./caches.age;
+    owner = "hercules-ci-agent";
+  };
+  secrets.herculesToken = {
+    file  = ./token.age;
+    owner = "hercules-ci-agent";
+  };
+  secrets.herculesSecrets = {
+    file  = ./secrets.age;
+    owner = "hercules-ci-agent";
+  };
+
+  home-manager.users = genAttrs [ "hercules-ci-agent" "root" ] (_: homeArgs: let
+    homeLib    = homeArgs.config.lib;
+  in {
+    home.file.".aws/credentials".source = homeLib.file.mkOutOfStoreSymlink config.secrets.awsCredentials.path;
+  });
+
+  services.hercules-ci-agent = enabled {
+    settings = {
+      binaryCachesPath     = config.secrets.herculesCaches.path;
+      clusterJoinTokenPath = config.secrets.herculesToken.path;
+      secretsJsonPath      = config.secrets.herculesSecrets.path;
+    };
+  };
+}
diff --git a/hosts/best/hercules/secrets.age b/hosts/best/hercules/secrets.age
new file mode 100644
index 0000000..24a9a13
--- /dev/null
+++ b/hosts/best/hercules/secrets.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 8y3T6w QFNMQ0/Nz/Hgr+AnATo5+06Xp7wwTrGSlwbE4EJ8M0o
+yr6mqPKPUsuPvtGH+N/4oZHVzYt5p2GiXCiOZKHK2IA
+-> ssh-ed25519 CzqbPQ gHGzzoNOS72IIZChwmPZ2empbMX80/set+Y3YN9nohQ
+7rScYa4ntZTJe/IpWyY5Col4+123Temz9I+6A0ILCSE
+--- IBo4lMDiPHrfQmv+PByQtft/FFNTzNyIjf0Hx9zoDuc
+7<£æë4‡.î…/É)Q³È+Q"ëñ	8¶¨¿-\$
\ No newline at end of file
diff --git a/hosts/best/hercules/token.age b/hosts/best/hercules/token.age
new file mode 100644
index 0000000..dab9524
Binary files /dev/null and b/hosts/best/hercules/token.age differ
diff --git a/secrets.nix b/secrets.nix
index e7ce42b..70f1dc1 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -7,6 +7,11 @@ in {
 
   "hosts/best/garage/environment.age".publicKeys = [ best ] ++ admins;
 
+  "hosts/best/hercules/caches.age".publicKeys       = [ best ] ++ admins;
+  "hosts/best/hercules/credentials.age".publicKeys  = [ best ] ++ admins;
+  "hosts/best/hercules/secrets.age".publicKeys      = [ best ] ++ admins;
+  "hosts/best/hercules/token.age".publicKeys        = [ best ] ++ admins;
+
   "hosts/best/nix-serve/key.age".publicKeys     = [ best ] ++ admins;
 
   # cube