diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
new file mode 100644
index 0000000..d9eb437
--- /dev/null
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,14 @@
+on:
+  pull_request:
+  push:
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - run: nix build -L
+      - run: nix flake check -L
diff --git a/README.md b/README.md
index 568f318..f90e207 100644
--- a/README.md
+++ b/README.md
@@ -2,16 +2,11 @@
 
 ## Preliminaries
 
-You need Nix installed on your local dev machine, with flakes enabled. If you
-don't have Nix installed, you can use SSH onto the server and use it to run the
-commands. Obviously this doesn't work for initial provisioning.
+You need Nix installed on your local machine. You can use the
+[DeterminateSystems installer](https://github.com/DeterminateSystems/nix-installer) for this:
 
-TODO: maybe create some users on the server so we don't have to operate as root
-for everything.
-
-You can enable flakes by creating a `~/.config/nix/nix.conf` file:
-```
-experimental-features = nix-command flakes
+```sh
+curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
 ```
 
 ## How do I deploy to the server?
@@ -70,28 +65,48 @@ nix run .#start-vm
 This starts a local VM running in QEMU. Handy to check everything works as
 expected before deploying.
 
-It will forward port 443 of the VM onto port 8443, meaning you may visit
-https://localhost:8443/ once the VM has started.
+When starting, this command will obtain a Vault token and inject it into the VM
+to be used for fetch GitHub client ID and secrets. If needed, you may be
+prompted for your GitHub personal access token.
 
-Nginx is configured using a self-signed certificate, which will cause some
-browser warnings.
+Port 443 of the VM is exposed as port 8443, meaning you may visit
+https://localhost:8443/ once the VM has started. nginx is configured using a
+self-signed certificate, which will cause some browser warnings.
 
-Packit is configured to use basic authentication, but no users exist by default.
-In the VM console, run the following:
+Packit is configured to use GitHub authentication. If needed, after logging in,
+you may grant yourself more permissions on a particular Packit instance through
+the VM console.
 
 ```
-create-basic-user <instance> "admin@localhost.com" password
-grant-role <instance> "admin@localhost.com" ADMIN
+grant-role <instance> <github username> ADMIN
 ```
 
 ## How do I run the integration tests?
 
 ```sh
-nix flake check
+nix flake check -L
 ```
 
-This doesn't test that much yet, just that the Packit API eventually comes up.
-We should at least try to interact with the API a little.
+Depending on your host system and how Nix was installed on it, this may fail
+with a "qemu-kvm: failed to initialize kvm: Permission denied" error. This
+typically means that `/dev/kvm` and is not writable by the Nix build users.
+
+This can be fixed by changing the devices ACLs (Access Control Lists) to make it writable by all
+members of the nixbld group:
+
+```sh
+sudo setfacl -m g:nixbld:rw /dev/kvm
+```
+
+The above command will probably not persist across reboots. For that to work,
+create a udev rule using the following commands:
+
+```sh
+sudo tee /etc/udev/rules.d/50-nixbld-kvm.rules <<EOF
+KERNEL=="kvm", RUN+="/bin/setfacl -m g:nixbld:rw $env{DEVNAME}"
+EOF
+sudo udevadm control --reload-rules && sudo udevadm trigger
+```
 
 ## How do I add new SSH keys?
 
diff --git a/configuration.nix b/configuration.nix
index ef9c546..27b0590 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -11,6 +11,10 @@
     inputs.disko.nixosModules.disko
   ];
 
+  virtualisation.vmVariant = {
+    imports = [ ./vm.nix ];
+  };
+
   boot.loader.grub = {
     # no need to set devices, disko will add all devices that have a EF02 partition to the list already
     # devices = [ ];
diff --git a/flake.nix b/flake.nix
index 2503341..230fb0a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -9,6 +9,7 @@
         overlays = [ self.overlays.default ];
         config.allowUnfreePredicate = pkg: builtins.elem (nixpkgs.lib.getName pkg) [
           "vault"
+          "vault-bin"
         ];
       };
     in
@@ -29,22 +30,12 @@
         ];
       };
 
-      nixosConfigurations.vm = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./configuration.nix
-          ./tests/setup.nix
-          { nixpkgs = pkgsArgs; }
-        ];
-      };
-
       packages.x86_64-linux =
         let pkgs = import nixpkgs ({ system = "x86_64-linux"; } // pkgsArgs);
         in {
           inherit (pkgs) outpack_server packit-app packit-api packit;
 
-          default = self.nixosConfigurations."wpia-packit".config.system.build.toplevel;
+          default = self.nixosConfigurations.wpia-packit.config.system.build.toplevel;
 
           deploy = pkgs.writeShellApplication {
             name = "deploy-wpia-packit";
@@ -79,12 +70,28 @@
           };
 
           update = pkgs.writers.writePython3Bin "update" { } ./scripts/update.py;
-          start-vm = self.nixosConfigurations."vm".config.system.build.vm;
+
+          start-vm = pkgs.writeShellApplication {
+            name = "start-vm";
+            runtimeInputs = [ pkgs.vault-bin ];
+            text = ''
+              export VAULT_ADDR=https://vault.dide.ic.ac.uk:8200
+              VAULT_TOKEN=$(vault print token)
+              if [[ -z $VAULT_TOKEN ]]; then
+                echo "Logging in to $VAULT_ADDR"
+                VAULT_TOKEN=$(vault login -method=github -field=token)
+              fi
+
+              exec ${nixpkgs.lib.getExe self.nixosConfigurations.wpia-packit.config.system.build.vm} \
+                -fw_cfg name=opt/vault-token,string="$VAULT_TOKEN" "$@"
+            '';
+
+          };
         };
 
-      checks.x86_64-linux.boots =
+      checks.x86_64-linux.default =
         let pkgs = import nixpkgs ({ system = "x86_64-linux"; } // pkgsArgs);
-        in pkgs.callPackage ./tests/boot.nix { inherit inputs; };
+        in pkgs.callPackage ./tests { inherit inputs; };
 
       devShells.x86_64-linux.default =
         let pkgs = import nixpkgs ({ system = "x86_64-linux"; } // pkgsArgs);
diff --git a/packages/packit/packit-api.nix b/packages/packit/packit-api.nix
index 861a332..8f8bf8c 100644
--- a/packages/packit/packit-api.nix
+++ b/packages/packit/packit-api.nix
@@ -34,6 +34,7 @@ let
     nativeBuildInputs = [ perl ];
     installPhase = ''
       find $GRADLE_USER_HOME/caches/modules-2 -type f -regex '.*\.\(jar\|pom\|module\)' \
+         | LC_ALL=C sort \
          | perl -pe 's#(.*/([^/]+)/([^/]+)/([^/]+)/[0-9a-f]{30,40}/([^/\s]+))$# ($x = $2) =~ tr|\.|/|; "install -Dm444 $1 \$out/$x/$3/$4/$5" #e' \
          | sh
       rm -rf $out/tmp
diff --git a/packages/packit/sources.json b/packages/packit/sources.json
index 438cf50..c327bb3 100644
--- a/packages/packit/sources.json
+++ b/packages/packit/sources.json
@@ -7,4 +7,4 @@
   },
   "gradleDepsHash": "sha256-HTpu1hMNol+Shi2P1GdBnO1oLlqqEWTezdmy4I9ijKY=",
   "npmDepsHash": "sha256-o//+q3trkCnKpSAWEHPZOeiMYxzKOvrGDgEv63BsnxI="
-}
\ No newline at end of file
+}
diff --git a/scripts/fetch-secrets.sh b/scripts/fetch-secrets.sh
index 1e27879..4860abc 100755
--- a/scripts/fetch-secrets.sh
+++ b/scripts/fetch-secrets.sh
@@ -1,8 +1,7 @@
 #!/usr/bin/env bash
 set -eu
 
-VAULT_ADDR=https://vault.dide.ic.ac.uk:8200
-export VAULT_ADDR
+export VAULT_ADDR="https://vault.dide.ic.ac.uk:8200"
 
 VAULT_TOKEN=$(vault login -method=github -token-only)
 export VAULT_TOKEN
diff --git a/scripts/fetch-vm-secrets.sh b/scripts/fetch-vm-secrets.sh
new file mode 100755
index 0000000..d28f8a0
--- /dev/null
+++ b/scripts/fetch-vm-secrets.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -eu
+
+export VAULT_ADDR="https://vault.dide.ic.ac.uk:8200"
+
+VAULT_TOKEN=$(cat /sys/firmware/qemu_fw_cfg/by_name/opt/vault-token/raw)
+export VAULT_TOKEN
+
+PACKIT_GITHUB_CLIENT_ID=$(vault kv get -mount=secret -field=id packit/githubauth/auth/githubclient)
+PACKIT_GITHUB_CLIENT_SECRET=$(vault kv get -mount=secret -field=secret packit/githubauth/auth/githubclient)
+
+cat > /var/secrets/github-oauth <<EOF
+PACKIT_GITHUB_CLIENT_ID=$PACKIT_GITHUB_CLIENT_ID
+PACKIT_GITHUB_CLIENT_SECRET=$PACKIT_GITHUB_CLIENT_SECRET
+EOF
diff --git a/tests/boot.nix b/tests/boot.nix
deleted file mode 100644
index fad1351..0000000
--- a/tests/boot.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ pkgs, inputs }:
-pkgs.testers.runNixOSTest {
-  name = "boot";
-  node.specialArgs = {
-    inherit inputs;
-  };
-  nodes.machine = { config, ... }: {
-    imports = [
-      ../configuration.nix
-      ./setup.nix
-    ];
-  };
-
-  testScript = ''
-    import json
-
-    machine.wait_for_unit("multi-user.target")
-    response = machine.wait_until_succeeds(
-      "curl -s --fail --location --insecure https://localhost/priority-pathogens/packit/api/auth/config"
-    )
-    data = json.loads(response)
-    assert data == {
-      "enableAuth": True,
-      "enableBasicLogin": True,
-      "enableGithubLogin": False,
-    }
-  '';
-}
diff --git a/tests/default.nix b/tests/default.nix
new file mode 100644
index 0000000..f7db286
--- /dev/null
+++ b/tests/default.nix
@@ -0,0 +1,32 @@
+{ pkgs, inputs }:
+pkgs.testers.runNixOSTest {
+  name = "boot";
+  node.specialArgs = {
+    inherit inputs;
+  };
+  nodes.machine = { lib, config, ... }: {
+    imports = [
+      ../configuration.nix
+
+      # The `virtualisation.vmVariant` setting we use to import VM-specific
+      # settings doesn't work for the test VMs, so re-import the vm module here.
+      # https://github.com/NixOS/nixpkgs/pull/339511#issuecomment-2328611982
+      ../vm.nix
+    ];
+
+    services.packit-api.instances =
+      let
+        f = name: lib.nameValuePair name {
+          authentication.method = lib.mkForce "basic";
+        };
+      in
+      lib.listToAttrs (map f config.services.multi-packit.instances);
+
+    # It's suprisingly easy to run qemu without hardware acceleration and not
+    # notice it, which makes the VM so slow the tests tend to fail. This forces
+    # KVM acceleration and will fail to start if missing.
+    virtualisation.qemu.options = [ "-machine" "accel=kvm" ];
+  };
+
+  testScript = builtins.readFile ./script.py;
+}
diff --git a/tests/script.py b/tests/script.py
new file mode 100644
index 0000000..c669ae5
--- /dev/null
+++ b/tests/script.py
@@ -0,0 +1,25 @@
+import json
+from shlex import quote
+
+machine.wait_for_unit("multi-user.target")
+
+api_url = "https://localhost/reside/packit/api"
+response = machine.wait_until_succeeds(f"curl -sfk {api_url}/auth/config")
+data = json.loads(response)
+assert data == {
+  "enableAuth": True,
+  "enableBasicLogin": True,
+  "enableGithubLogin": False,
+}
+
+machine.succeed(
+  "create-basic-user reside admin@localhost.com password",
+  "grant-role reside admin@localhost.com ADMIN")
+
+payload = json.dumps({ "email": "admin@localhost.com", "password": "password"})
+response = machine.succeed(f"curl -sfk --json {quote(payload)} {api_url}/auth/login/basic")
+token = json.loads(response)["token"]
+
+response = machine.succeed(f"curl -sfk --oauth2-bearer {quote(token)} {api_url}/outpack/")
+data = json.loads(response)
+assert data["status"] == "success"
diff --git a/tests/setup.nix b/tests/setup.nix
deleted file mode 100644
index a9f7d7e..0000000
--- a/tests/setup.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{ pkgs, lib, config, localhost, ... }:
-{
-  virtualisation.vmVariant = {
-    virtualisation.memorySize = 2048;
-    virtualisation.forwardPorts = [{
-      from = "host";
-      host.port = 8443;
-      guest.port = 443;
-    }];
-  };
-
-  services.multi-packit = {
-    domain = lib.mkForce "localhost";
-  };
-
-  services.packit-api.instances =
-    let
-      f = name: lib.nameValuePair name {
-        authentication.method = lib.mkForce "basic";
-        corsAllowedOrigins = lib.mkForce [ "https://localhost:8443" ];
-      };
-    in
-    lib.listToAttrs (map f config.services.multi-packit.instances);
-
-  systemd.services."generate-secrets" = {
-    wantedBy = [
-      "multi-user.target"
-      "nginx.service"
-    ];
-    before = [ "nginx.service" ];
-
-    serviceConfig.Type = "oneshot";
-
-    script = ''
-      mkdir -p /var/secrets
-      if [[ ! -f /var/secrets/packit.key ]]; then
-        ${pkgs.openssl}/bin/openssl \
-          req -x509 -days 365 \
-          -subj "/CN=localhost" \
-          -newkey rsa:2048 -noenc \
-          -keyout /var/secrets/packit.key -out /var/secrets/packit.cert
-        chown nginx:nginx /var/secrets/packit.key
-      fi
-    '';
-  };
-
-  services.getty.autologinUser = "root";
-}
diff --git a/tools.nix b/tools.nix
index 9909a1e..e290b19 100644
--- a/tools.nix
+++ b/tools.nix
@@ -2,7 +2,7 @@
 let
   fetch-secrets = pkgs.writeShellApplication {
     name = "fetch-secrets";
-    runtimeInputs = [ pkgs.vault ];
+    runtimeInputs = [ pkgs.vault-bin ];
     text = builtins.readFile ./scripts/fetch-secrets.sh;
   };
 
diff --git a/vm.nix b/vm.nix
new file mode 100644
index 0000000..5ea34dd
--- /dev/null
+++ b/vm.nix
@@ -0,0 +1,55 @@
+{ pkgs, lib, config, ... }:
+{
+  virtualisation.memorySize = 2048;
+  virtualisation.forwardPorts = [{
+    from = "host";
+    host.port = 8443;
+    guest.port = 443;
+  }];
+  virtualisation.qemu.options = [ "-nographic" ];
+
+  services.multi-packit = {
+    domain = lib.mkForce "localhost:8443";
+  };
+
+  users.motd = ''
+    Use the 'Ctrl-A x' sequence or the `shutdown now` command to terminate the VM session.
+  '';
+
+  systemd.services."generate-secrets" =
+    let
+      packit-units = map (name: "packit-api-${name}.service") config.services.multi-packit.instances;
+      fetch-vm-secrets = pkgs.writeShellApplication {
+        name = "fetch-vm-secrets";
+        runtimeInputs = [ pkgs.vault-bin ];
+        text = builtins.readFile ./scripts/fetch-vm-secrets.sh;
+      };
+    in
+    {
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+
+      wantedBy = [ "multi-user.target" "nginx.service" ] ++ packit-units;
+      before = [ "nginx.service" ] ++ packit-units;
+
+      serviceConfig.Type = "oneshot";
+
+      script = ''
+        mkdir -p /var/secrets
+        if [[ ! -f /var/secrets/packit.key ]]; then
+          ${pkgs.openssl}/bin/openssl \
+            req -x509 -days 365 \
+            -subj "/CN=localhost" \
+            -newkey rsa:2048 -noenc \
+            -keyout /var/secrets/packit.key -out /var/secrets/packit.cert
+          chown nginx:nginx /var/secrets/packit.key
+        fi
+
+        if [[ -f /sys/firmware/qemu_fw_cfg/by_name/opt/vault-token/raw ]]; then
+          ${fetch-vm-secrets}/bin/fetch-vm-secrets
+        fi
+      '';
+    };
+
+  services.getty.autologinUser = "root";
+}