diff --git a/.secrets/hetzner/forgejo-runner-token.yaml b/.secrets/hetzner/forgejo-runner-token.yaml
new file mode 100644
index 0000000..cf7baa5
--- /dev/null
+++ b/.secrets/hetzner/forgejo-runner-token.yaml
@@ -0,0 +1,30 @@
+forgejo-runner-token: ENC[AES256_GCM,data:i+aJ2YclxVkeVldukq3OjU8/2kIaqJWCXye7KsK65EYosSV6tzhRDg==,iv:NLlnpeausiXz3P1dT1uwoeQglTx6BiJkfw3z9soTE3k=,tag:LnXs/MMnmaPMKG4Lnq+q6A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1qur4kh3gay9ryk3jh2snvjp6x9eq94zdrmgkrfcv4fzsu7l6lumq4tr3uy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBOUVxRXduVWhjNHdnZCtH
+            U0VLWE01VkJaWmNDUzE1bmorRDN5RWNwTnhJClRkcDNzb1U2MzZ3TDhXSnI4Z252
+            a1A0dzQ5eUlScDhhYjl6WEdnYnlxUm8KLS0tIDczaXlvcDVwUzdQY1h6a01QM2p6
+            T3FBVWJqaHQwVnIrNFVsWVBub2djMG8KsbZb43UkVe1Up0O15UTC/PdsEkwwOnVW
+            9P4AGO097HfTLkAjKJHx5QYF02dJ+4xb6rgzUYt9Nr8h8+GD0xRAfQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdlhZbDhqamNGU2QrZDN5
+            MlY5RFgrV3NJUk1PYWJLSnpCZjhiTUF5b0RrCmRHV0JnYlBmL2p0WE9UTzJUcVhK
+            dkhiYlJtYWtDN0lseHRCNTUzb252TmsKLS0tIGZKbjA3dkVwcnZNK2djV1BvSkJo
+            a09FM1ZqSWdsdytjdVFCanVldHVoWUUKyy/LXNd/vZLdgXYXfloFkNviaddvrazw
+            4Z0bJ/fqGvRPlLkTUzZlhWKVXfZFGgo5nQSEvyphkIb6UCyd9VamnA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-27T10:59:24Z"
+    mac: ENC[AES256_GCM,data:vlsjGIIAzrwOFUkZsihghFBMV0dxhP2wZa3xJowMfjcA8MbWmdAKSqTpC4aQ3VY7pL7xxZ4Z8uglgtkz+Yz48u/s1dzNMknQ0xhlI2BUURcYlhdAslWPouKAPJN773sirIXGM2Ki63w7UrfSOaphl88DiwKO2LeG1EQvYZKBafo=,iv:Fy+VsrCFY8afMnInC6abj6eWnwzuh8kfBApZh6muw6o=,tag:gd4vj0wfgC9GyNV+aZea1g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/systems/x86_64-linux/mx/forgejo.nix b/systems/x86_64-linux/mx/forgejo.nix
index 7d60c4e..5a67997 100644
--- a/systems/x86_64-linux/mx/forgejo.nix
+++ b/systems/x86_64-linux/mx/forgejo.nix
@@ -51,4 +51,24 @@
       }
     ];
   };
+
+  sops.secrets."forgejo-runner-token" = {
+    sopsFile = ../../../.secrets/hetzner/forgejo-runner-token.yaml; # bring your own password file
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances.default = {
+      enable = true;
+      name = "base";
+      url = "https://git.hoyer.xyz";
+      tokenFile = config.sops.secrets.forgejo-runner-token.path;
+      labels = [
+        "ubuntu-latest:docker://node:16-bullseye"
+        "ubuntu-22.04:docker://node:16-bullseye"
+        "ubuntu-20.04:docker://node:16-bullseye"
+        "ubuntu-18.04:docker://node:16-buster"
+      ];
+    };
+  };
 }