diff --git a/agenix-config-module.nix b/agenix-config-module.nix
index ca371c8..0b85553 100644
--- a/agenix-config-module.nix
+++ b/agenix-config-module.nix
@@ -15,4 +15,5 @@
     owner = "headscale";
     group = "headscale";
   };
+  age.secrets.FORGEJO_ACTIONS_RUNNER.file = ./secrets/samsehu_FORGEJO_ACTIONS_RUNNER.age;
 }
diff --git a/configuration.nix b/configuration.nix
index 98c6df2..47c279e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -354,6 +354,7 @@
 
   services.forgejo = {
     enable = true;
+    lfs.enable = true;
     settings = {
       server.ROOT_URL = "https://git.samsehu.perli.casa/";
       server.HTTP_ADDR = "127.0.0.1";
@@ -361,6 +362,23 @@
     };
   };
 
+  virtualisation.docker = {
+    enable = true;
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances.default = {
+      enable = true;
+      name = "monolith";
+      url = "https://git.samsehu.perli.casa";
+      tokenFile = config.age.secrets.FORGEJO_ACTIONS_RUNNER.path;
+      labels = [
+        "ubuntu-latest:docker://node:16-bullseye"
+      ];
+    };
+  };
+
   # lldap LDAP authentication server
   users.users.lldap = {
     # allocates the `uid` in the range 100-999, which indicates to software like login managers that it should not be displayed to the user.
diff --git a/secrets/samsehu_FORGEJO_ACTIONS_RUNNER.age b/secrets/samsehu_FORGEJO_ACTIONS_RUNNER.age
new file mode 100644
index 0000000..298d724
--- /dev/null
+++ b/secrets/samsehu_FORGEJO_ACTIONS_RUNNER.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yXNDbw 4a+/qWs85NX56a69U11wy6lNuLNhVvLoJ9NWWugUhB0
+o22suKiDXAAP8jFvQ4y+YpuBbWFb+REotJIwFBaKxiA
+-> ssh-ed25519 BTX+xA jqZwCo9Ml4DpnHsKNy+YZ2xq9yjher9XuXQuAG3CYFU
+CRkI7Haxz2krgOP/EXK0DWl16HJNeeMKGfH+wmQyv9g
+--- RfMwfHQsd1TAQThx+6iA2ZTVgNg+PxNLM0JXi6/bNJU
+A°l5Üà\U3QãÊ…õõ{V…¶ÓtIãröØÂ‡T/œ®@UÿÇØRZŽ(¾ÌðŒ‘m†-3ƒ;t.‘[ÓCFp*ãç
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8b8cf45..98ffd83 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,4 +10,5 @@ in
   "samsehu_OIDC_APP_SECRET_HEADSCALE.age".publicKeys = geemili ++ [ samsehu ];
   "samsehu_OIDC_APP_SECRET_FORGEJO.age".publicKeys = geemili ++ [ samsehu ];
   "samsehu_LLDAP_ADMIN_PASSWORD.age".publicKeys = geemili ++ [ samsehu ];
+  "samsehu_FORGEJO_ACTIONS_RUNNER.age".publicKeys = geemili ++ [ samsehu ];
 }