diff --git a/ops/vault/cfg/binary-cache-deployer.nix b/ops/vault/cfg/binary-cache-deployer.nix
new file mode 100644
index 0000000000..088f2e9393
--- /dev/null
+++ b/ops/vault/cfg/binary-cache-deployer.nix
@@ -0,0 +1,28 @@
+{ ... }:
+
+{
+  resource.vault_gcp_secret_roleset.binary_cache_deployer = {
+    backend = "\${vault_gcp_secret_backend.gcp.path}";
+    roleset = "binary-cache-deployer";
+    project = "lukegb-nix";
+    secret_type = "access_token";
+    token_scopes = [
+      "https://www.googleapis.com/auth/devstorage.read_write"
+    ];
+    binding = [{
+      resource = "buckets/lukegb-nix-cache";
+      roles = ["roles/storage.objectAdmin"];
+    }];
+  };
+
+  my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
+    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
+      capabilities = ["read"]
+    }
+  '';
+  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
+    path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" {
+      capabilities = ["read"]
+    }
+  '';
+}
diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix
index 955ac41bb1..7241224889 100644
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@@ -17,6 +17,7 @@
     ./acme-ca.nix
 
     ./lukegbcom-deployer.nix
+    ./binary-cache-deployer.nix
   ];
 
   terraform = {
@@ -74,6 +75,7 @@
   my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" ];
   my.servers.clouvider-fra01.apps = [ "deluge" ];
   my.servers.clouvider-lon01.apps = [ "quotesdb" "gitlab-runner" ];
+  my.servers.cofractal-ams01.apps = [ "deluge" "gitlab-runner" ];
   my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
   my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
   my.servers.bvm-prosody.apps = [ "turn" ];
diff --git a/ops/vault/cfg/lukegbcom-deployer.nix b/ops/vault/cfg/lukegbcom-deployer.nix
index c737653218..e98cbd055a 100644
--- a/ops/vault/cfg/lukegbcom-deployer.nix
+++ b/ops/vault/cfg/lukegbcom-deployer.nix
@@ -24,4 +24,9 @@
       capabilities = ["read"]
     }
   '';
+  my.servers.cofractal-ams01.appPolicies.gitlab-runner = ''
+    path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
+      capabilities = ["read"]
+    }
+  '';
 }