diff --git a/capytal/forgejo.nix b/capytal/forgejo.nix
index 6e97ab6..d980598 100644
--- a/capytal/forgejo.nix
+++ b/capytal/forgejo.nix
@@ -15,6 +15,10 @@ in {
       DEFAULT = {
         APP_NAME = "Capytal Code";
       };
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "https://data.forgejo.org";
+      };
       admin = {
         DISABLE_REGULAR_ORG_CREATION = true;
         USER_DISABLED_FEATURES = "deletion manage_ssh_keys manage_gpg_keys";
@@ -63,6 +67,23 @@ in {
     };
   };
 
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances = {
+      "forgejo-runner-1" = {
+        enable = true;
+        name = "Forgejo Runner (${config.networking.hostName}) 1";
+        url = config.services.forgejo.settings.server.ROOT_URL;
+        tokenFile = config.sops.secrets."forgejo/actions/token".path;
+        labels = [
+          "alpine-3.22:docker://data.forgejo.org/oci/alpine:3.22"
+          "golang-1.24:docker://data.forgejo.org/oci/golang:1.24-alpine3.22"
+          "node-24:docker://node:24-bullseye"
+        ];
+      };
+    };
+  };
+
   users.users."${cfg.user}".packages = [
     (pkgs.symlinkJoin {
       paths = [pkgs.forgejo];
diff --git a/common/default.nix b/common/default.nix
index 628dfba..f798352 100644
--- a/common/default.nix
+++ b/common/default.nix
@@ -4,5 +4,6 @@
     ./cloudflare.nix
     ./garage.nix
     ./postgresql.nix
+    ./virtualisation.nix
   ];
 }
diff --git a/common/virtualisation.nix b/common/virtualisation.nix
new file mode 100644
index 0000000..a4b4fec
--- /dev/null
+++ b/common/virtualisation.nix
@@ -0,0 +1,13 @@
+{...}: {
+  virtualisation = {
+    oci-containers = {
+      backend = "podman";
+    };
+    podman = {
+      enable = true;
+      dockerCompat = true;
+      dockerSocket.enable = true;
+    };
+    docker.enable = false;
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index f1dd724..74c7a02 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -32,13 +32,7 @@ with lib; {
     "forgejo/s3/secret" = mkIf config.services.forgejo.enable {
       owner = config.services.forgejo.user;
     };
-    "forgejo/user1/name" = mkIf config.services.forgejo.enable {
-      owner = config.services.forgejo.user;
-    };
-    "forgejo/user1/password" = mkIf config.services.forgejo.enable {
-      owner = config.services.forgejo.user;
-    };
-    "forgejo/user1/email" = mkIf config.services.forgejo.enable {
+    "forgejo/actions/token" = mkIf config.services.forgejo.enable {
       owner = config.services.forgejo.user;
     };
 
diff --git a/secrets.yaml b/secrets.yaml
index 210baf9..b709579 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -11,6 +11,8 @@ forgejo:
         name: ENC[AES256_GCM,data:UL3g,iv:+ftGx57fhzN06DuLItxZTc7lXX2g4MhqrEqnDjk4Aug=,tag:ZNpwWuPYhBzDjRQBKikCDA==,type:str]
         password: ENC[AES256_GCM,data:9nMuj2/VIB7Pbw==,iv:+96/NZ+gmRkpXr05nFuUfRl2rGqElUA/LuMBYBQHCHQ=,tag:hMEO40iGeyWsMd8VPOV4Yg==,type:str]
         email: ENC[AES256_GCM,data:e6GOwBzRBxa00CHYHgV8,iv:oerF3kJWzjzOatND8Tngp3MADw2kaBKyigeFxtH/ypQ=,tag:1q093JG9hRDxs6OzOIU3vw==,type:str]
+    actions:
+        token: ENC[AES256_GCM,data:tjzIEA+TuwInBwfic7P6ZpN7XyQ2RWC7CZrGEjRtFR/Lj7xb4ysPfZ7d91AjNjw=,iv:e3nWZ3BvDeZvEUiJJ6h7u37UC4GZd/i582MRzE9pkyI=,tag:rZZnz5kGiLtCrUdNwgy8Xw==,type:str]
 garage:
     admin_key: ENC[AES256_GCM,data:ORtjXzJrbWITofjNpVsTHE1gHcwNhBcbMNM=,iv:99XCuu5hGa3ZnAqbOsmgjeMouC8EnTzsJ0HuOoHwKEE=,tag:eJVx+A8MJ4g1xXr2F5hTkg==,type:str]
     admin_secret: ENC[AES256_GCM,data:7hMOXJwIr0pkCFBBh5vnDy//R9UwD+eTlddT1VGOpqYaA0andf0jRfGOr0efcX0x/EvlDOrfFqn8ME8icZRRbw==,iv:KGxqXhzNWFWiwBHRSP+aov2fCNHgFuUtpBF4nd40mGw=,tag:ixcehvjzs6CfVyAAl315dw==,type:str]
@@ -40,7 +42,7 @@ sops:
             amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO
             4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-17T22:34:52Z"
-    mac: ENC[AES256_GCM,data:qCQgzoxRMowRqG8oWUGm3uryAh60HGjgUGsX6piZuBY1mrgzXABDE5AoD5YA5k7d2Nxv7Auzzz/xOSPUcxO+aqYDsjwu9bc6Sl6XzoR3SlFSl/PURPbfSmABlX0iJBfUcOtGlnIDPbIuHASRCFcRpuneQ3+VeQS6MaD5n7BBCRY=,iv:Br2T8/Wq44h6RzO9ht6bUthUt5yL/MFQME0LlTaO7gE=,tag:jdznhfhgBGfqi8hOVJhKkw==,type:str]
+    lastmodified: "2025-09-25T17:46:20Z"
+    mac: ENC[AES256_GCM,data:hhpkjsatbdCW/8Bdh4wy94IOoNBQjOqlVxlcVgi6QktDEJl53Dsti1zbsAD7H8Jes4gdl6zHQwaNIvbZlPtzKsm2ZkyIS20ylu+U/NS1PtzkKkKRFPwViEoDcykGPKvSl+9kITL9tkC5IyFIBrc23+w15csCGf5W+S/0E8tGMhg=,iv:HveYGhCDPOexZJzbbTdN+0WcwsbA6vS+qRed+NvEaeg=,tag:i0Q9IbFwRd4a0YIBM6Qfqw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2