diff --git a/infrastructure/concourse/jobs/concourse-ci-web.hcl b/infrastructure/concourse/jobs/concourse-ci-web.hcl
index 2ec09e6..08c8144 100644
--- a/infrastructure/concourse/jobs/concourse-ci-web.hcl
+++ b/infrastructure/concourse/jobs/concourse-ci-web.hcl
@@ -107,13 +107,18 @@ fi
 EOF
 	destination = "${NOMAD_SECRETS_DIR}/main.sh"
       }
+
+      resources {
+	cpu = 3000
+	memory = 512 
+      }
     }
 
     task "web" {
       driver = "docker"
 
       config {
-	image = "concourse/concourse@sha256:fa136abb336f2c2aed8d41d21b382d364c3387c24f3fdef15c720c292c9216d4"
+	image = "concourse/concourse@sha256:9adc59ea1ccdb2d0262451d30ff0298dc92139ba7cfb8bfd99b1a469441594e0"
 	command = "web"
 	ports = ["http", "tsa"]
       }
@@ -129,34 +134,37 @@ EOF
 
       template {
 	data = <<EOF
-{{ with secret "kv/data/concourse/web" }}
-CONCOURSE_ADD_LOCAL_USER={{ .Data.data.local_user_name }}:{{ .Data.data.local_user_pass }}
-CONCOURSE_MAIN_TEAM_LOCAL_USER={{ .Data.data.local_user_name }}
-{{ end }}
+[[ with secret "kv/data/concourse/web" ]]
+CONCOURSE_ADD_LOCAL_USER=[[ .Data.data.local_user_name ]]:[[ .Data.data.local_user_pass ]]
+CONCOURSE_MAIN_TEAM_LOCAL_USER=[[ .Data.data.local_user_name ]]
+[[ end ]]
 
-CONCOURSE_SESSION_SIGNING_KEY={{ env "NOMAD_SECRETS_DIR" }}/session_signing_key
-CONCOURSE_TSA_HOST_KEY={{ env "NOMAD_SECRETS_DIR" }}/tsa_host_key
-CONCOURSE_TSA_AUTHORIZED_KEYS={{ env "NOMAD_SECRETS_DIR" }}/authorized_worker_keys
+CONCOURSE_SESSION_SIGNING_KEY=[[ env "NOMAD_SECRETS_DIR" ]]/session_signing_key
+CONCOURSE_TSA_HOST_KEY=[[ env "NOMAD_SECRETS_DIR" ]]/tsa_host_key
+CONCOURSE_TSA_AUTHORIZED_KEYS=[[ env "NOMAD_SECRETS_DIR" ]]/authorized_worker_keys
 
 CONCOURSE_EXTERNAL_URL=http://blowhole.in.redalder.org:8019/
 
 CONCOURSE_POSTGRES_HOST=127.0.0.1
 CONCOURSE_POSTGRES_PORT=5432
-{{ with secret "kv/data/concourse/db" }}
-CONCOURSE_POSTGRES_DATABASE={{ .Data.data.database }}
-CONCOURSE_POSTGRES_USER={{ .Data.data.user }}
-CONCOURSE_POSTGRES_PASSWORD={{ .Data.data.password }}
-{{ end }}
+[[ with secret "kv/data/concourse/db" ]]
+CONCOURSE_POSTGRES_DATABASE=[[ .Data.data.database ]]
+CONCOURSE_POSTGRES_USER=[[ .Data.data.user ]]
+CONCOURSE_POSTGRES_PASSWORD=[[ .Data.data.password ]]
+[[ end ]]
 
 CONCOURSE_VAULT_URL=https://vault.in.redalder.org:8200/
-CONCOURSE_VAULT_CA_CERT={{ env "NOMAD_SECRETS_DIR" }}/vault.crt
-CONCOURSE_VAULT_PATH_PREFIX=/concourse/pipelines
+CONCOURSE_VAULT_CA_CERT=[[ env "NOMAD_SECRETS_DIR" ]]/vault.crt
+CONCOURSE_VAULT_PATH_PREFIX=kv/concourse/pipelines
 
-CONCOURSE_VAULT_CLIENT_TOKEN={{ env "VAULT_TOKEN" }}
+CONCOURSE_VAULT_CLIENT_TOKEN=[[ env "VAULT_TOKEN" ]]
 CONCOURSE_VAULT_LOOKUP_TEMPLATES=/{{.Team}}/{{.Pipeline}}/{{.Secret}},/{{.Team}}/{{.Secret}}
 EOF
 	destination = "${NOMAD_SECRETS_DIR}/data.env"
 	env = true
+
+	left_delimiter = "[["
+	right_delimiter = "]]"
       }
 
       template {
@@ -193,6 +201,11 @@ EOF
 	change_mode = "signal"
 	change_signal = "SIGHUP"
       }
+
+      resources {
+	cpu = 3000
+	memory = 512 
+      }
     }
   }
 }
diff --git a/infrastructure/concourse/jobs/concourse-ci-worker.hcl b/infrastructure/concourse/jobs/concourse-ci-worker.hcl
index c7935f7..aa254a6 100644
--- a/infrastructure/concourse/jobs/concourse-ci-worker.hcl
+++ b/infrastructure/concourse/jobs/concourse-ci-worker.hcl
@@ -4,6 +4,12 @@ job "concourse-ci-worker" {
 
   group "svc" {
     count = 1
+
+    constraint {
+      attribute = "${attr.unique.hostname}"
+      operator = "regexp"
+      value = "(heater|fractal)"
+    }
     
     network {
       mode = "bridge"
@@ -13,7 +19,10 @@ job "concourse-ci-worker" {
       driver = "docker"
 
       config {
-	image = "concourse-vault-sidecar:local"
+	image = "magicrb/concourse-vault-runner@sha256:595011233c15e05ae23092cfb6e9fe0459d1c24fffc9bd519e5d32bec3b8e519"
+	args = [
+	  "${NOMAD_TASK_DIR}/main.sh"
+	]
       }
 
       vault {
@@ -33,13 +42,34 @@ EOF
 	env = true
 	destination = "${NOMAD_TASK_DIR}/data.env"
       }
+
+      template {
+	data = <<EOF
+if ! vault kv get kv/concourse/workers/{{ env "attr.unique.hostname" }} > /dev/null 2>&1
+then
+    concourse generate-key -t ssh -f /worker_key
+
+    _worker_key="$(cat /worker_key)"
+    _worker_key_pub="$(cat /worker_key.pub)"
+    echo -e "$${_worker_key//$'\n'/\\\\n}" > /worker_key
+    echo -e "$${_worker_key_pub//$'\n'/\\\\n}" > /worker_key.pub
+
+
+    JSON_FMT='{"public_key":"%s","private_key":"%s"}'
+    printf "$JSON_FMT" "$(< /worker_key.pub)" "$(< /worker_key)" > secret.json
+
+    vault kv put kv/concourse/workers/{{ env "attr.unique.hostname" }} @secret.json
+fi
+EOF
+	destination = "${NOMAD_TASK_DIR}/main.sh"
+      }
     }
 
     task "worker" {
       driver = "docker"
 
       config {
-	image = "concourse/concourse@sha256:fa136abb336f2c2aed8d41d21b382d364c3387c24f3fdef15c720c292c9216d4"
+	image = "concourse/concourse@sha256:9adc59ea1ccdb2d0262451d30ff0298dc92139ba7cfb8bfd99b1a469441594e0"
 	command = "worker"
 	privileged = true
       }
@@ -74,6 +104,14 @@ EOF
 EOF
 	destination = "${NOMAD_SECRETS_DIR}/tsa_host_key.pub"
       }
+
+      kill_timeout = "1h"
+      kill_signal = "SIGUSR2"
+
+      resources {
+	cpu = 32000
+	memory = 2048 
+      }
     }
   }
 }
diff --git a/infrastructure/concourse/policies/concourse-web-policy.hcl b/infrastructure/concourse/policies/concourse-web-policy.hcl
index 01f3506..43417fe 100644
--- a/infrastructure/concourse/policies/concourse-web-policy.hcl
+++ b/infrastructure/concourse/policies/concourse-web-policy.hcl
@@ -14,6 +14,6 @@ path "kv/data/concourse/db" {
   capabilities = ["read"]
 }
 
-path "kv/data/concourse/pipelines/*" {
+path "kv/data/concourse/pipelines/+/+/*" {
   capabilities = ["read"]
 }
diff --git a/infrastructure/concourse/policies/concourse-worker-policy.hcl b/infrastructure/concourse/policies/concourse-worker-policy.hcl
index 0fb68fe..cc6a8c2 100644
--- a/infrastructure/concourse/policies/concourse-worker-policy.hcl
+++ b/infrastructure/concourse/policies/concourse-worker-policy.hcl
@@ -1,5 +1,5 @@
 path "kv/data/concourse/workers/*" {
-  capabilities = ["read", "update", "delete"]
+  capabilities = ["read", "update", "delete", "create"]
 }
 
 path "kv/data/concourse/web" {
diff --git a/infrastructure/dotfiles-pipeline.yaml b/infrastructure/dotfiles-pipeline.yaml
index 16bd98c..645de14 100644
--- a/infrastructure/dotfiles-pipeline.yaml
+++ b/infrastructure/dotfiles-pipeline.yaml
@@ -45,7 +45,7 @@ jobs:
               out=$(pwd)
               cd src/nix
 
-              nix -v --log-format raw -L  --experimental-features 'nix-command flakes' build --out-link $out/nix.tar.gz .#dockerImages.x86_64-linux.nix.build
+              nix -vv --log-format raw -L  --experimental-features 'nix-command flakes' build --out-link $out/nix.tar.gz .#dockerImages.x86_64-linux.nix.build
     - put: push-nix-image
       params:
         image: nix.tar.gz