diff --git a/configs/ci-runner/docker-rootless-config.json b/configs/ci-runner/docker-rootless-config.json
new file mode 100644
index 0000000..6affb40
--- /dev/null
+++ b/configs/ci-runner/docker-rootless-config.json
@@ -0,0 +1,8 @@
+{
+  "auths": {
+    "registry.icb4dc0.de": {
+      "auth": "${registry_auth}"
+    }
+  },
+  "currentContext": "rootless"
+}
diff --git a/forgejo-runner_machines.tf b/forgejo-runner_machines.tf
index ce8c7c6..5cfc71d 100644
--- a/forgejo-runner_machines.tf
+++ b/forgejo-runner_machines.tf
@@ -73,6 +73,16 @@ data "azurerm_key_vault_secret" "runner_secret" {
   key_vault_id = azurerm_key_vault.forgejo_runners.id
 }
 
+data "azurerm_key_vault_secret" "harbor_minion_username" {
+  name         = "harbor-minion-username"
+  key_vault_id = azurerm_key_vault.hetzner.id
+}
+
+data "azurerm_key_vault_secret" "harbor_minion_token" {
+  name         = "harbor-minion-token"
+  key_vault_id = azurerm_key_vault.hetzner.id
+}
+
 data "cloudinit_config" "runner_config" {
   for_each      = var.forgejo_runners
   gzip          = true
@@ -177,6 +187,15 @@ data "cloudinit_config" "runner_config" {
             owner: runner:runner
             permissions: "0640"
             defer: true
+
+          - encoding: gzip+base64
+            content: ${base64gzip(templatefile("configs/ci-runner/docker-rootless-config.json", {
+              registry_auth: base64encode("${data.azurerm_key_vault_secret.harbor_minion_username.value}:${data.azurerm_key_vault_secret.harbor_minion_token.value}")
+}))}
+            path: /var/lib/runner/.docker/config.json
+            owner: runner:runner
+            permissions: "0640"
+            defer: true
     EOF
 }