diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index 81cf885c..0764bc03 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -131,11 +131,25 @@ jobs:
             --profile staging \
             up -d --wait --remove-orphans
 
+      - name: Deploy observability configs
+        # Copies the compose file and config tree from the workspace checkout
+        # into /opt/familienarchiv/ — the permanent location that persists
+        # between CI runs. Containers started in the next step bind-mount
+        # from there, so a future workspace wipe cannot corrupt a running
+        # config file. Secrets are read from /opt/familienarchiv/.env (managed
+        # separately on the server; not written or deleted by CI).
+        run: |
+          mkdir -p /opt/familienarchiv/infra
+          cp -r infra/observability /opt/familienarchiv/infra/
+          cp docker-compose.observability.yml /opt/familienarchiv/
+
       - name: Start observability stack
+        # Runs from /opt/familienarchiv/ so bind mounts resolve to stable
+        # host paths that survive workspace wipes between nightly runs.
+        # Docker Compose reads /opt/familienarchiv/.env automatically.
         run: |
           docker compose \
-            -f docker-compose.observability.yml \
-            --env-file .env.staging \
+            -f /opt/familienarchiv/docker-compose.observability.yml \
             up -d --wait --remove-orphans
 
       - name: Reload Caddy
diff --git a/runner-config.yaml b/runner-config.yaml
index 23bef458..2df22cf3 100644
--- a/runner-config.yaml
+++ b/runner-config.yaml
@@ -15,12 +15,15 @@ container:
   valid_volumes:
     - "/var/run/docker.sock"
     - "/srv/gitea-workspace"
+    - "/opt/familienarchiv"
   # appended to `docker run` when the runner spawns a job container
   # SECURITY: Mounting the Docker socket grants job containers root-equivalent
   # access to the host Docker daemon. Acceptable here because only trusted code
   # from this private repo runs on this runner. Do NOT use on a runner that
   # accepts untrusted PRs from external contributors.
-  options: "-v /var/run/docker.sock:/var/run/docker.sock -v /srv/gitea-workspace:/srv/gitea-workspace"
+  # /opt/familienarchiv is mounted so the nightly job can deploy observability
+  # configs to the permanent location without needing ssh or nsenter.
+  options: "-v /var/run/docker.sock:/var/run/docker.sock -v /srv/gitea-workspace:/srv/gitea-workspace -v /opt/familienarchiv:/opt/familienarchiv"
   # keep network mode default (bridge) — Testcontainers handles its own networking
   force_pull: false