diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml
index 0b9c405..12a5ddc 100644
--- a/.forgejo/workflows/check.yml
+++ b/.forgejo/workflows/check.yml
@@ -8,13 +8,6 @@ jobs:
       - name: Check out repository code
         uses: https://code.forgejo.org/actions/checkout@v4
 
-      - name: Prepare cachix
-        uses: https://github.com/cachix/cachix-action@v14
-        with:
-          name: pub-solar
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-          useDaemon: false
-
       - name: Check formatting
         run: |
           nix --accept-flake-config --access-tokens '' develop --command treefmt --fail-on-change
diff --git a/hosts/tankstelle/forgejo-actions-runner.nix b/hosts/tankstelle/forgejo-actions-runner.nix
index 7ea8b86..3869de9 100644
--- a/hosts/tankstelle/forgejo-actions-runner.nix
+++ b/hosts/tankstelle/forgejo-actions-runner.nix
@@ -15,17 +15,37 @@
   # Needed for the docker runner to communicate with the act_runner cache
   networking.firewall.trustedInterfaces = [ "br-+" ];
 
-  systemd.services."gitea-runner-tankstelle".path = with pkgs; [
-    coreutils
-    bash
-    coreutils
-    curl
-    gawk
-    gitMinimal
-    gnused
-    nodejs
-    wget
-  ];
+  users.users.gitea-runner = {
+    home = "/var/lib/gitea-runner/tankstelle";
+    useDefaultShell = true;
+    group = "gitea-runner";
+    # Required to interact with nix daemon
+    extraGroups = [
+     "wheel"
+    ];
+    isSystemUser = true;
+  };
+
+  users.groups.gitea-runner = { };
+
+  systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
+
+  systemd.services."gitea-runner-tankstelle" = {
+    serviceConfig.DynamicUser = lib.mkForce false;
+    path = with pkgs; [
+      coreutils
+      bash
+      coreutils
+      curl
+      gawk
+      gitMinimal
+      gnused
+      nodejs
+      wget
+      cachix
+      jq
+    ];
+  };
 
   # forgejo actions runner
   # https://forgejo.org/docs/latest/admin/actions/