diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 1686423..9a659a6 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -1,7 +1,7 @@
 on:
   push:
     branches:
-      - main
+      - master
 jobs:
   build:
     runs-on: nixos-latest
diff --git a/fili/services/forgejo.nix b/fili/services/forgejo.nix
index c73f83a..24f1e9c 100644
--- a/fili/services/forgejo.nix
+++ b/fili/services/forgejo.nix
@@ -79,48 +79,18 @@ in
     mailerPasswordFile = config.sops.secrets.forgejo.path;
   };
 
-  users.groups.forgejo-runner = { };
-  users.users.forgejo-runner = {
-    isSystemUser = true;
-    group = "forgejo-runner";
-  };
-
-  sops.secrets.forgejo-runner = {
-    sopsFile = ../../secrets/forgejo-runner.yaml;
-    format = "yaml";
-    key = "token";
-  };
-
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;
 
     instances.fili = {
       enable = true;
       name = "forgejo-runner-01";
-      tokenFile = config.sops.secrets.forgejo-runner.path;
+      token = "SutcrCJ3ULoE5LBj9Tm8zkvTRDEJCpbvpe7FEJHC";
       url = "https://git.donsz.nl/";
       labels = [
-        "nix:host"
-        "docker:docker://node:16-bullseye"
-        "ubuntu-latest:docker://node:16-bullseye"
+        "nixos-latest:docker://nixos/nix"
       ];
       settings = { };
-
-      hostPackages = with pkgs; [
-        # default ones
-        bash
-        coreutils
-        curl
-        gawk
-        gitMinimal
-        gnused
-        nodejs
-        wget
-
-        # used in deployments
-        lix
-        openssh
-      ];
     };
   };
 
diff --git a/secrets/forgejo-runner.yaml b/secrets/forgejo-runner.yaml
deleted file mode 100644
index 0b886ae..0000000
--- a/secrets/forgejo-runner.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-token: ENC[AES256_GCM,data:QKJOB1yt7GJgJ4YIpptcMywGHFzF7FbZ86Yj587jgTO1elalkJG5Tg==,iv:F5/7z0KMAKnAfz9GU8csNcKavmaP8kI67bdrBNJcSso=,tag:ztDHSDO80NGqfZ9h+F5s5g==,type:str]
-sops:
-    age:
-        - recipient: age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEkxK1VPRTNJSE92YWpO
-            NFJ0cUxHZW9RekFJbEVjcEdFVUJvWWJERUUwClBvU3dhQ29mNXpTQlVFZDg1dHNT
-            NFptZ3ZXWlZvZ3psMWI1d0twQUg5aVUKLS0tIG9sU0NGSUY5ek1ZK1plZDJMcHlj
-            UG03bnlmb0xLNmRvVjczRnMwVUtMQkEK9wRT5YByZf1Fj6eYHmiHQJpbcH+al3yA
-            PC0SiWgl2yNWkonrzoa97ehL64ugdH+HfJboKNGvViiHdIElnHZwrQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-20T09:53:17Z"
-    mac: ENC[AES256_GCM,data:L1wpGzIbHWV/3uv3Xspnxv7QU+WPB7X7DCAKtDXXp6+l81oYQjkj0LXu792dj1IDYuezE6IW4GUb5ptuBiLHRlPrY/TaTCRnkiMfXYjwoOAhoAYufHhUnGsSH3M/YOnLrN3fi1m2yhHBJwUFFDfoqN/5RTzCn4wbEgXg4t4hsQA=,iv:nsqyQthQm5mi5/5LPV8nwACeij48GAdX0Q0nsnYJYYg=,tag:k7q2COG5AYGQCJ9ly5y5AA==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2