diff --git a/docs/roles/forgejo-runner.md b/docs/roles/forgejo-runner.md
new file mode 100644
index 0000000..29cabb6
--- /dev/null
+++ b/docs/roles/forgejo-runner.md
@@ -0,0 +1,13 @@
+# Forgejo runner role
+Forgejo actions runner
+
+## Notes
+- Requires runner token generated at `FORGEJO_URL/admin/actions/runners`.
+
+## Options
+### `forgejo-runner.url`
+The URL of the forgejo instance to register to.
+
+## Secrets
+### `forgejo_runner/token`
+The token used to register the runner with the forgejo instance
diff --git a/example_secrets.yaml b/example_secrets.yaml
index 3cd5e24..a337530 100644
--- a/example_secrets.yaml
+++ b/example_secrets.yaml
@@ -19,6 +19,8 @@ forgejo:
   email_from: mail@example.com
   email_username: mail@example.com
   email_password: ADifferentVeryLongSecurePassword
+forgejo_runner:
+  token: RandomTokenFromForgejo
 freshrss:
   db_pass: AVeryLongSecurePassword
   
diff --git a/hosts/git.nix b/hosts/git.nix
index bc9c8b4..9aa13f4 100644
--- a/hosts/git.nix
+++ b/hosts/git.nix
@@ -9,11 +9,14 @@
 
   roles = with roles; [
     postgres
+    podman
 
     forgejo
+    forgejo-runner
   ];
-  config = {
+  config = rec {
     forgejo.domain = "git.${hlConfig.domain}";
+    forgejo-runner.url = "https://${forgejo.domain}";
   };
   stateVersion = "24.05";
 }
diff --git a/roles/forgejo-runner.nix b/roles/forgejo-runner.nix
new file mode 100644
index 0000000..c165434
--- /dev/null
+++ b/roles/forgejo-runner.nix
@@ -0,0 +1,62 @@
+{
+  name = "Forgejo runner";
+  description = ''
+    Forgejo actions runner
+  '';
+
+  nixosModule =
+    {
+      pkgs,
+      lib,
+      config,
+      ...
+    }:
+    {
+      options.forgejo-runner = {
+        url = lib.mkOption {
+          type = lib.types.str;
+        };
+      };
+
+      config =
+        let
+          cfg = config.forgejo-runner;
+        in
+        {
+          sops.secrets = {
+            "forgejo_runner/token" = {
+              owner = "root";
+            };
+          };
+
+          # environment.persistence."/persistent" = {
+          #   directories = [
+          #     "/var/lib/private/gitea-runner/runner"
+          #   ];
+          # };
+
+          sops.templates."forgejo_runner_token.env" = {
+            owner = "root";
+            content = ''
+              TOKEN=${config.sops.placeholder."forgejo_runner/token"}
+            '';
+          };
+
+          services.gitea-actions-runner = {
+            package = pkgs.forgejo-actions-runner;
+            instances.default = {
+              enable = true;
+              name = "runner";
+              url = cfg.url;
+              tokenFile = config.sops.templates."forgejo_runner_token.env".path;
+              labels = [
+                "ubuntu-latest:docker://node:16-bullseye"
+                "ubuntu-22.04:docker://node:16-bullseye"
+                "ubuntu-20.04:docker://node:16-bullseye"
+                "ubuntu-18.04:docker://node:16-buster"
+              ];
+            };
+          };
+        };
+    };
+}
diff --git a/roles/podman.nix b/roles/podman.nix
index ab6f406..1f55047 100644
--- a/roles/podman.nix
+++ b/roles/podman.nix
@@ -15,6 +15,7 @@
       options.podman = {
         containers = lib.mkOption {
           type = lib.types.attrs;
+          default = { };
         };
       };
 
diff --git a/secrets/git.yaml b/secrets/git.yaml
index 65592cf..5475a29 100644
--- a/secrets/git.yaml
+++ b/secrets/git.yaml
@@ -5,6 +5,8 @@ forgejo:
     email_from: ENC[AES256_GCM,data:xFFAgVmf0boB0mOcQKKhiiRQ,iv:P8jW12RYOp4zwnRKGxjFPpTU6vS6LYozTXGPoGqXv3Q=,tag:MnIKOW3NQUumWDNLZogSzw==,type:str]
     email_username: ENC[AES256_GCM,data:iJ70yLlPzsmCkuq6XvsKpujx,iv:XlA7n1GIVhgWuGWoD3io0jSPy5pdlmwzyMdqztQqyGo=,tag:5YsLkLD0SOn0YJhKEKvJ8Q==,type:str]
     email_password: ENC[AES256_GCM,data:Wx1y1hyIeT+D0k5kXflo86cYl3Q=,iv:uTTIsEK0y1pCIsophxBNwEKoYBBNDa8qv4arjj9c4Mw=,tag:obv6lL2btVLf9365vyb+Pg==,type:str]
+forgejo_runner:
+    token: ENC[AES256_GCM,data:gd/n3MihZZRS2cglRT3hn/9UkQ5/mV84UfuxbTHpphhNZd66Gxl0Mw==,iv:gXeNSJngn2sW37/WuIKCQK64xHqOtJP893KVFolKY20=,tag:cU/PHp5KXv3GRnKpSth8BA==,type:str]
 postgres:
     forgejo: ENC[AES256_GCM,data:jG1RpH+5t9Q2aBiB0s/euEj5xLd7+7ZY7wQ9klskjFIDbjfDT8A+Llm2VlVbQDgXlhvfGjLIA2OiR4vaEH9U4g==,iv:POoGsB0P8VmuAM16IoQinGpnkpxQxb3rNDo88THfOwQ=,tag:FazT+fvxjh0AfLsoVHD+qw==,type:str]
 sops:
@@ -40,8 +42,8 @@ sops:
             TWZsbWF0U3pCZmJKRjQwRGhKNmN6d2sKgwe0htUOOw4FEC5Xvg7FAnnb8jpt+pRP
             x7OUZZG/Jeb99at9YqjJDJp2hB6SsnZsHgqrrHupqGoAYZncAF4Ngg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-08T10:49:24Z"
-    mac: ENC[AES256_GCM,data:DczVEHMow0k66KVcfU9tlsg131VUZhwUMSiDLBTb22KtHJs/eSrjqQ+P+naTX8a4lOAn4KzQiRugl1AieBmPhB77RyFjM2WRDLYZlbxv9d8StjNlgAdpOok4aGhxf8fncI+op+Gk5HOSoVsT7IVnofK+0V+14XhmgfQJpHuP2yE=,iv:Z4yfkbrvhlubP8DNhGkfwzvOI1CRJBgo7MolxGV3/EU=,tag:ptATWw7zn0UP/GFBRSy/bg==,type:str]
+    lastmodified: "2025-04-13T13:46:14Z"
+    mac: ENC[AES256_GCM,data:fuUcngHun2tLyDFAmHAK2g8VEapiDJqYoRnpZkHdI8EfCDYkNBuY9rcKKeTni4qrndWU6+0eI9tYsALEO3LKCk25+rezXvN4sA8fDndh+pQpPP8yG2KtDkljE8XyHzmRqM7LSny23y/J44iiCNOGGE+SpEmQOTK+3fQIiS+AlTI=,iv:5EuYNhYVnLbKlbI0lHzigMByFDcztU8jVorAtKzobSw=,tag:Qi1kIHzkOKM6c9CoR9c2tg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4