diff --git a/dev-shells/default.nix b/dev-shells/default.nix
index 9cf2f44..0b238d5 100644
--- a/dev-shells/default.nix
+++ b/dev-shells/default.nix
@@ -24,6 +24,7 @@
       ++ (with pkgs; [
         attic-client
         deploy-rs
+        nixVersions.git
         nixd
         nixfmt-rfc-style
         nixos-anywhere
diff --git a/flake.lock b/flake.lock
index d9d091b..3534477 100644
--- a/flake.lock
+++ b/flake.lock
@@ -111,11 +111,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737489963,
-        "narHash": "sha256-1Qo3Qofx6W4s7tfvAKuq+hIUkkSRTU6j9PcDodM0hY4=",
+        "lastModified": 1737552783,
+        "narHash": "sha256-pJ2lp36L3++a5HtdN7ULcVpdB4j7yo90TDayWuAO+T8=",
         "ref": "refs/heads/main",
-        "rev": "d42933081c8149ee536b0300020d4f31b206f514",
-        "revCount": 10,
+        "rev": "33cf80043c64ddd6882268430454e3cbe98b692b",
+        "revCount": 11,
         "type": "git",
         "url": "file:./private"
       },
diff --git a/nixos-modules/qois/renovate/default.nix b/nixos-modules/qois/renovate/default.nix
index 3f6c268..7a9ab80 100644
--- a/nixos-modules/qois/renovate/default.nix
+++ b/nixos-modules/qois/renovate/default.nix
@@ -2,6 +2,7 @@
   config,
   pkgs,
   lib,
+  inputs,
   ...
 }:
 with lib;
@@ -26,9 +27,14 @@ in
 
   config = mkIf cfg.enable {
     sops.secrets."renovate/token".restartUnits = [ "renovate.service" ];
+    sops.secrets."renovate/host_rules".restartUnits = [ "renovate.service" ];
+    systemd.services.renovate.environment.LOG_LEVEL = "debug";
     services.renovate = {
       enable = true;
-      credentials.RENOVATE_TOKEN = config.sops.secrets."renovate/token".path;
+      credentials = {
+        RENOVATE_TOKEN = config.sops.secrets."renovate/token".path;
+        RENOVATE_HOST_RULES = config.sops.secrets."renovate/host_rules".path;
+      };
       runtimePackages = with pkgs; [
         nix
       ];
@@ -41,5 +47,12 @@ in
       };
       schedule = "*:0/10";
     };
+
+    systemd.services.renovate = {
+      path = mkBefore [ inputs.pkgs.nixVersions.git ]; # Circumvent submodule bug - remove after >=2.26 is the default.
+      script = mkBefore ''
+        echo -e "machine ${cfg.gitServer}\n    login $(systemd-creds cat 'SECRET-RENOVATE_TOKEN')\n    password x-oauth-basic" > ~/.netrc
+      '';
+    };
   };
 }
diff --git a/private b/private
index d429330..33cf800 160000
--- a/private
+++ b/private
@@ -1 +1 @@
-Subproject commit d42933081c8149ee536b0300020d4f31b206f514
+Subproject commit 33cf80043c64ddd6882268430454e3cbe98b692b
diff --git a/renovate.json b/renovate.json
index 7921c7f..9df5a17 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [ "config:base" ],
+  "extends": [ "config:recommended" ],
   "lockFileMaintenance": {
     "enabled": true,
     "extends": [ "schedule:weekly" ]