diff --git a/README.md b/README.md
index 3eaa3c7..4899007 100644
--- a/README.md
+++ b/README.md
@@ -66,3 +66,6 @@ Usage:
 sops $file # To edit a file
 sops-rekey # To rekey all secrets, e.g. after a key rollover or new host
 ```
+
+After changing secrets, don't forget to push the sub-repository and run
+`nix flake update private` in the infrastructure repository to use the changes in builds.
diff --git a/flake.lock b/flake.lock
index 6e79830..d9d091b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -111,10 +111,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734984619,
-        "narHash": "sha256-D9awD3ArJ+8jCPr96HruGS4xpkJ7h2+V0Yiaay/9pyE=",
-        "rev": "18d3b3b703a6139b9ebd5ec64311717cf2a6f9bc",
-        "revCount": 7,
+        "lastModified": 1737489963,
+        "narHash": "sha256-1Qo3Qofx6W4s7tfvAKuq+hIUkkSRTU6j9PcDodM0hY4=",
+        "ref": "refs/heads/main",
+        "rev": "d42933081c8149ee536b0300020d4f31b206f514",
+        "revCount": 10,
         "type": "git",
         "url": "file:./private"
       },
diff --git a/nixos-configurations/lindberg-build/applications/default.nix b/nixos-configurations/lindberg-build/applications/default.nix
index d9360ee..35d4632 100644
--- a/nixos-configurations/lindberg-build/applications/default.nix
+++ b/nixos-configurations/lindberg-build/applications/default.nix
@@ -13,6 +13,7 @@
   qois.git-ci-runner.enable = true;
   qois.attic.enable = true;
   qois.postgresql.package = pkgs.postgresql_15;
+  qois.renovate.enable = true;
 
   # Remove substituters that are hosted on this node, to prevent lockups
   #  since the current nix implementation is not forgiving with unavailable subsituters.
diff --git a/nixos-modules/qois/renovate/default.nix b/nixos-modules/qois/renovate/default.nix
new file mode 100644
index 0000000..3f6c268
--- /dev/null
+++ b/nixos-modules/qois/renovate/default.nix
@@ -0,0 +1,45 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.qois.renovate;
+in
+{
+
+  options.qois.renovate = {
+    enable = mkEnableOption "Enable renovate service";
+    gitServer = mkOption {
+      description = "Gitea/Forgejo server that should be accessed";
+      type = types.str;
+      default = "git.qo.is";
+    };
+    gitAuthor = mkOption {
+      description = "Author of commit messages";
+      type = types.str;
+      default = "Renovate Bot <sysadmin+renovate@qo.is>";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets."renovate/token".restartUnits = [ "renovate.service" ];
+    services.renovate = {
+      enable = true;
+      credentials.RENOVATE_TOKEN = config.sops.secrets."renovate/token".path;
+      runtimePackages = with pkgs; [
+        nix
+      ];
+      settings = {
+        inherit (cfg) gitAuthor;
+        endpoint = "https://${cfg.gitServer}/api/v1";
+        platform = "gitea";
+        autodiscover = true;
+        optimizeForDisabled = true;
+      };
+      schedule = "*:0/10";
+    };
+  };
+}
diff --git a/private b/private
index dcfc21e..d429330 160000
--- a/private
+++ b/private
@@ -1 +1 @@
-Subproject commit dcfc21e991b4ce056e24c26bb992b1af378d035a
+Subproject commit d42933081c8149ee536b0300020d4f31b206f514
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..250864d
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,8 @@
+{
+  "extends": [
+    "config:base"  
+  ],
+  "nix": {
+    "enabled": true
+  }
+}