diff --git a/README.md b/README.md
index 63eb662..444e893 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,7 @@ jobs:
           S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
           S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
           NIX_SIGNING_KEY: ${{ secrets.NIX_SIGNING_KEY }}
+          NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
 ```
 
 **Inputs:**
@@ -111,6 +112,7 @@ jobs:
         env:
           S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
           S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
+          NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
 ```
 
 **Inputs:**
@@ -122,6 +124,7 @@ jobs:
 **Environment variables:**
 - `S3_ACCESS_KEY`: S3 access key (set via Forgejo secrets)
 - `S3_SECRET_KEY`: S3 secret key (set via Forgejo secrets)
+- `NOMAD_TOKEN`: Nomad ACL token for the `static-sites` namespace (set via Forgejo secrets, auto-synced by `nomad-acl-forgejo-sync`)
 
 **What it does:**
 1. Packages the site directory as a tarball
@@ -228,6 +231,7 @@ In your repository settings (or organization settings for global secrets):
 - `S3_ACCESS_KEY`: S3 access key
 - `S3_SECRET_KEY`: S3 secret key
 - `NIX_SIGNING_KEY`: Contents of `cache-priv-key.pem`
+- `NOMAD_TOKEN`: Auto-synced by `nomad-acl-forgejo-sync` on alvin (or set manually from `cat /var/lib/nomad-acl/ci.token`)
 
 ### 6. Configure SSH access from runner to alvin
 
@@ -257,6 +261,7 @@ jobs:
         env:
           S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
           S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
+          NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
 ```
 
 ### Node.js/Vite site with custom domain
@@ -291,6 +296,7 @@ jobs:
         env:
           S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
           S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
+          NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
 ```
 
 ### Hugo site
@@ -326,6 +332,7 @@ jobs:
         env:
           S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
           S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
+          NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
 ```
 
 ## S3 Access
diff --git a/deploy-nix-site/action.yaml b/deploy-nix-site/action.yaml
index 623a7ed..a50e9e6 100644
--- a/deploy-nix-site/action.yaml
+++ b/deploy-nix-site/action.yaml
@@ -83,6 +83,7 @@ runs:
           "Job": {
             "ID": "${{ inputs.site-name }}",
             "Name": "${{ inputs.site-name }}",
+            "Namespace": "static-sites",
             "Type": "service",
             "Datacenters": ["contabo"],
             "Constraints": [{
diff --git a/deploy-site/action.yaml b/deploy-site/action.yaml
index 27e30c7..73266a0 100644
--- a/deploy-site/action.yaml
+++ b/deploy-site/action.yaml
@@ -77,6 +77,7 @@ runs:
           "Job": {
             "ID": "${{ inputs.site-name }}",
             "Name": "${{ inputs.site-name }}",
+            "Namespace": "static-sites",
             "Type": "service",
             "Datacenters": ["contabo"],
             "Constraints": [{