diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index f68d1f7..3501868 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -44,22 +44,46 @@ jobs:
         docker push $IMAGE:latest
         docker push $IMAGE:${{ github.sha }}
 
-    - name: Substitute secrets into Nomad job
+    - name: Ensure data directory on int node
       run: |
-        sed \
-          -e "s|__DATABASE_URL__|${{ secrets.DATABASE_URL }}|g" \
-          -e "s|__ANTHROPIC_API_KEY__|${{ secrets.ANTHROPIC_API_KEY }}|g" \
-          -e "s|__SAXO_APP_KEY__|${{ secrets.SAXO_APP_KEY }}|g" \
-          -e "s|__SAXO_APP_SECRET_1__|${{ secrets.SAXO_APP_SECRET_1 }}|g" \
-          mmd.nomad > mmd_deploy.nomad
+        # Run a one-shot batch job on 'int' to create /opt/nomad/volumes/moneymaker-data
+        cat <<'EOF' > mkdir_job.nomad
+        job "mmd-mkdir" {
+          type        = "batch"
+          datacenters = ["dc1"]
+          group "setup" {
+            count = 1
+            constraint {
+              attribute = "${node.unique.name}"
+              value     = "int"
+            }
+            task "mkdir" {
+              driver = "docker"
+              config {
+                image   = "busybox:latest"
+                command = "/bin/sh"
+                args    = ["-c", "mkdir -p /host/moneymaker-data && chmod 777 /host/moneymaker-data && echo 'Created OK'"]
+                volumes = ["/opt/nomad/volumes:/host"]
+              }
+              resources { cpu = 50; memory = 32 }
+            }
+          }
+        }
+        EOF
+        nomad job run mkdir_job.nomad
+        sleep 10
+        nomad job status mmd-mkdir
+        nomad job stop -purge mmd-mkdir || true
+      env:
+        NOMAD_ADDR: "https://nomad.i80.dk:4646"
 
     - name: Validate Nomad job
-      run: nomad job validate mmd_deploy.nomad
+      run: nomad job validate mmd.nomad
       env:
         NOMAD_ADDR: "https://nomad.i80.dk:4646"
 
     - name: Deploy to Nomad
-      run: nomad job run mmd_deploy.nomad
+      run: nomad job run mmd.nomad
       env:
         NOMAD_ADDR: "https://nomad.i80.dk:4646"
 
diff --git a/mmd.nomad b/mmd.nomad
index e74f3a8..a7897b2 100644
--- a/mmd.nomad
+++ b/mmd.nomad
@@ -32,13 +32,7 @@ job "moneymaker" {
 
     constraint {
       attribute = "${node.unique.name}"
-      value     = "autobox"
-    }
-
-    volume "moneymaker-data" {
-      type      = "host"
-      source    = "moneymaker-data"
-      read_only = false
+      value     = "int"
     }
 
     service {
@@ -74,16 +68,11 @@ job "moneymaker" {
     task "web" {
       driver = "docker"
 
-      volume_mount {
-        volume      = "moneymaker-data"
-        destination = "/app/data"
-        read_only   = false
-      }
-
       config {
         image      = "registry.i80.dk/gitea/mmd:latest"
         ports      = ["http"]
         force_pull = true
+        volumes    = ["/opt/nomad/volumes/moneymaker-data:/app/data"]
       }
 
       restart {
@@ -94,16 +83,28 @@ job "moneymaker" {
       }
 
       env {
-        APP_ENV           = "production"
-        PORT              = "${NOMAD_PORT_http}"
-        HOST              = "0.0.0.0"
-        LOG_DIR           = "/app/data/logs"
-        SAXO_TOKEN_FILE   = "/app/data/.saxo_token.json"
-        HF_HOME           = "/app/data/hf-cache"
-        DATABASE_URL      = "__DATABASE_URL__"
-        ANTHROPIC_API_KEY = "__ANTHROPIC_API_KEY__"
-        SAXO_APP_KEY      = "__SAXO_APP_KEY__"
-        SAXO_APP_SECRET_1 = "__SAXO_APP_SECRET_1__"
+        APP_ENV         = "production"
+        PORT            = "${NOMAD_PORT_http}"
+        HOST            = "0.0.0.0"
+        LOG_DIR         = "/app/data/logs"
+        SAXO_TOKEN_FILE = "/app/data/.saxo_token.json"
+        HF_HOME         = "/app/data/hf-cache"
+      }
+
+      template {
+        data        = <<EOF
+DATABASE_URL={{ key "mmd/DATABASE_URL" }}
+ANTHROPIC_API_KEY={{ key "mmd/anthropic_api_key" }}
+SAXO_APP_KEY={{ key "mmd/SAXO_APP_KEY" }}
+SAXO_APP_SECRET_1={{ key "mmd/SAXO_APP_SECRET_1" }}
+SAXO_APP_SECRET_2={{ key "mmd/SAXO_APP_SECRET_2" }}
+SAXO_BASE={{ key "mmd/SAXO_BASE" }}
+SAXO_AUTH_URL={{ key "mmd/SAXO_AUTH_URL" }}
+SAXO_TOKEN_URL={{ key "mmd/SAXO_TOKEN_URL" }}
+SAXO_REDIRECT={{ key "mmd/SAXO_REDIRECT" }}
+EOF
+        destination = "secrets/app.env"
+        env         = true
       }
 
       resources {
@@ -116,17 +117,12 @@ job "moneymaker" {
     task "worker" {
       driver = "docker"
 
-      volume_mount {
-        volume      = "moneymaker-data"
-        destination = "/app/data"
-        read_only   = false
-      }
-
       config {
         image      = "registry.i80.dk/gitea/mmd:latest"
         command    = "python"
         args       = ["scheduler.py"]
         force_pull = true
+        volumes    = ["/opt/nomad/volumes/moneymaker-data:/app/data"]
       }
 
       restart {
@@ -137,13 +133,25 @@ job "moneymaker" {
       }
 
       env {
-        LOG_DIR           = "/app/data/logs"
-        SAXO_TOKEN_FILE   = "/app/data/.saxo_token.json"
-        HF_HOME           = "/app/data/hf-cache"
-        DATABASE_URL      = "__DATABASE_URL__"
-        ANTHROPIC_API_KEY = "__ANTHROPIC_API_KEY__"
-        SAXO_APP_KEY      = "__SAXO_APP_KEY__"
-        SAXO_APP_SECRET_1 = "__SAXO_APP_SECRET_1__"
+        LOG_DIR         = "/app/data/logs"
+        SAXO_TOKEN_FILE = "/app/data/.saxo_token.json"
+        HF_HOME         = "/app/data/hf-cache"
+      }
+
+      template {
+        data        = <<EOF
+DATABASE_URL={{ key "mmd/DATABASE_URL" }}
+ANTHROPIC_API_KEY={{ key "mmd/anthropic_api_key" }}
+SAXO_APP_KEY={{ key "mmd/SAXO_APP_KEY" }}
+SAXO_APP_SECRET_1={{ key "mmd/SAXO_APP_SECRET_1" }}
+SAXO_APP_SECRET_2={{ key "mmd/SAXO_APP_SECRET_2" }}
+SAXO_BASE={{ key "mmd/SAXO_BASE" }}
+SAXO_AUTH_URL={{ key "mmd/SAXO_AUTH_URL" }}
+SAXO_TOKEN_URL={{ key "mmd/SAXO_TOKEN_URL" }}
+SAXO_REDIRECT={{ key "mmd/SAXO_REDIRECT" }}
+EOF
+        destination = "secrets/app.env"
+        env         = true
       }
 
       resources {