diff --git a/.forgejo/workflows/update.yml b/.forgejo/workflows/update.yml
index 6958942..ce19b27 100644
--- a/.forgejo/workflows/update.yml
+++ b/.forgejo/workflows/update.yml
@@ -18,6 +18,14 @@ jobs:
       - name: Install Nix
         run: |
           set -euxo pipefail
+          # The Nix install script refuses to run cleanly as root unless the
+          # nixbld group + users exist, even with --no-daemon. The runner's
+          # catthehacker image runs jobs as root, so create them first.
+          groupadd -r nixbld || true
+          for i in $(seq 1 10); do
+            useradd -r -g nixbld -G nixbld -d /var/empty -s /sbin/nologin \
+              -c "Nix build user $i" "nixbld$i" || true
+          done
           curl --proto '=https' --tlsv1.2 -sSfL https://nixos.org/nix/install | sh -s -- --no-daemon
           echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH"
           mkdir -p ~/.config/nix