diff --git a/secrets/secrets-loptland.yaml b/secrets/secrets-loptland.yaml
index 1ce466d..36aba22 100644
--- a/secrets/secrets-loptland.yaml
+++ b/secrets/secrets-loptland.yaml
@@ -8,6 +8,8 @@ forgejo:
     mail:
         password: ENC[AES256_GCM,data:XgQZM0MBUEELyhH7UvyyMEiUABs=,iv:m3Wzs2SAPQ2w6UC02lpTvwd83Dt0LEzqdIj65HeOrbU=,tag:3cr5dnjeyoJ4ze9RFd9K5g==,type:str]
         passwordHash: ENC[AES256_GCM,data:hHGJBUEtCi/gErZ5vm0gsEFqyIDNkED4scR4NAOSzbiiZAYTMg++yqf3hfjjwWV3wTPswNpzzw+gYKEH,iv:wDM5IOOamopFpMEkUit4y7LBZi8CJff3+Tc08lK4IXI=,tag:FaaaohtA+vBFwjDugoemQw==,type:str]
+    runner:
+        token: ENC[AES256_GCM,data:+k8qoQl3RTu1psulBKwQzvljsP0t2t/NvhXjsSgVD/lR2TQ/T5JMRA==,iv:buKtUUPTGqnfezHYEOnbgsdBMQiY3GA3Tg/VParjBwI=,tag:Z8GtHRye3vBZxlpetWik6Q==,type:str]
 netcup:
     customer_number: ENC[AES256_GCM,data:9+QboNg1,iv:Tg9ylJUM8L/kzqFmk2uIsD9noqnp5wIxr5GVXMsZwB8=,tag:2qRggSIkPHuCQYDWCfka5Q==,type:str]
     api:
@@ -37,8 +39,8 @@ sops:
             UllqSDR1YWl6aU1jSnY2WE9oczg5Q28KfN15tFxXHrJmOHySK+cyLi2bFqArg244
             bNTYyuBUtBW1Y/EuNpbyLjSNQpKZWFz7grE64uxrNQHP865N3wv0gg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-03T13:46:57Z"
-    mac: ENC[AES256_GCM,data:5o/0aL6x4Kc+IwKL4sIZ4gyG4IXZqvL6TqZFnp3GNGjazRyUKvEbTbKTj96C7W1ci+JUv73mO/0IGjPxY/Bbsv06clKxSX40XbSvWVxSOfQp1qfiQaDxswcF+7yw5vA6wsOfZnYCWeyzJHuBD8OvTE+xXE8bNil5q2ZY5OXX7nk=,iv:aR7um7d9fjJxetxj8a0LrK9zs8tAWiSvKMenYBCMWpc=,tag:Zvj+ZiM5uV5HFVwu6ZAd2A==,type:str]
+    lastmodified: "2024-12-28T06:45:43Z"
+    mac: ENC[AES256_GCM,data:lCnyuIftA7P8MXVLUm6+bXyi0dsv6W5587Veni857TXrWbTqJBkNpkY13PFdK+WH3wUptDp87NTzREkei4A2yFaUYddUpzhTSSh0HwRvOCKLPk45E5lUjJ9mYHBEXG1ZNUptcoeJIai8FOuQGA0pXrlXHsBEC164ECI6NfiCBzU=,iv:dNs6QD4agMhX0gE/4QK8W2/3f14ppaTP7Ce19TDJ4DQ=,tag:DhisJ9f56Ipb/XCLR7CAFg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2
diff --git a/systems/x86_64-linux/loptland/default.nix b/systems/x86_64-linux/loptland/default.nix
index bcb8b18..6a63292 100644
--- a/systems/x86_64-linux/loptland/default.nix
+++ b/systems/x86_64-linux/loptland/default.nix
@@ -32,6 +32,9 @@ in
       "forgejo/mail/passwordHash" = {
         inherit sopsFile;
       };
+      "forgejo/runner/token" = {
+        inherit sopsFile;
+      };
     };
   };
 
@@ -118,6 +121,24 @@ in
     certificateScheme = "acme-nginx";
   };
 
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances.default = {
+      enable = true;
+      name = "monolith";
+      url = "https://git.${domainName}.com";
+      tokenFile = config.sops.secrets."forgejo/runner/token".path;
+      labels = [
+        "ubuntu-latest:docker://node:16-bullseye"
+        "ubuntu-22.04:docker://node:16-bullseye"
+        "ubuntu-20.04:docker://node:16-bullseye"
+        "ubuntu-18.04:docker://node:16-buster"
+        ## optionally provide native execution on the host:
+        # "native:host"
+      ];
+    };
+  };
+
   networking.firewall.allowedTCPPorts = [
     forgejoPort
     80