diff --git a/modules/default.nix b/modules/default.nix
index 4424dca8..2274ae30 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -10,6 +10,7 @@
       desktop-extended = import ./desktop-extended;
       docker = import ./docker;
       #email = import ./email;
+      forgejo-actions-runner = import ./forgejo-actions-runner;
       #gaming = import ./gaming;
       graphical = import ./graphical;
       invoiceplane = import ./invoiceplane;
diff --git a/modules/forgejo-actions-runner/default.nix b/modules/forgejo-actions-runner/default.nix
new file mode 100644
index 00000000..6b983293
--- /dev/null
+++ b/modules/forgejo-actions-runner/default.nix
@@ -0,0 +1,58 @@
+{
+  config,
+  pkgs,
+  lib,
+  flake,
+  ...
+}:
+let
+  hostname = config.networking.hostName;
+in
+{
+  age.secrets."forgejo-actions-runner-token.age" = {
+    file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
+    mode = "440";
+  };
+
+  # Trust docker bridge interface traffic
+  # Needed for the docker runner to communicate with the act_runner cache
+  networking.firewall.trustedInterfaces = [ "br-+" ];
+
+  users.users.gitea-runner = {
+    home = "/var/lib/gitea-runner/${hostname}";
+    useDefaultShell = true;
+    group = "gitea-runner";
+    # Required to interact with nix daemon
+    extraGroups = [ "wheel" ];
+    isSystemUser = true;
+  };
+
+  users.groups.gitea-runner = { };
+
+  systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
+
+  systemd.services."gitea-runner-${hostname}" = {
+    serviceConfig.DynamicUser = lib.mkForce false;
+  };
+
+  # forgejo actions runner
+  # https://forgejo.org/docs/latest/admin/actions/
+  # https://docs.gitea.com/usage/actions/quickstart
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances."${hostname}" = {
+      enable = true;
+      name = hostname;
+      url = "https://git.pub.solar";
+      tokenFile = config.age.secrets."forgejo-actions-runner-token.age".path;
+      labels = [
+        # provide a debian 12 bookworm base with Node.js for actions
+        "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
+        # fake the ubuntu name, commonly used in actions examples
+        "ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
+        # alpine with Node.js
+        "alpine-latest:docker://node:20-alpine"
+      ];
+    };
+  };
+}
diff --git a/secrets/forgejo-actions-runner-token.age b/secrets/forgejo-actions-runner-token.age
new file mode 100644
index 00000000..02997e3b
Binary files /dev/null and b/secrets/forgejo-actions-runner-token.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4a263e54..eb525e2e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -26,6 +26,7 @@ in
   "mnx-bonanza-pf1.p12.age".publicKeys = allKeys;
   "docker-ci-runner-secrets.age".publicKeys = allKeys;
   "test-secret.age".publicKeys = [ users.teutat3s-5-nfc ];
+  "forgejo-actions-runner-token.age".publicKeys = allKeys;
   "hosting-de-acme-secrets.age".publicKeys = [
     machines.fae
     users.teutat3s