diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 9a659a6..1686423 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -1,7 +1,7 @@
 on:
   push:
     branches:
-      - master
+      - main
 jobs:
   build:
     runs-on: nixos-latest
diff --git a/fili/services/forgejo.nix b/fili/services/forgejo.nix
index 24f1e9c..c73f83a 100644
--- a/fili/services/forgejo.nix
+++ b/fili/services/forgejo.nix
@@ -79,18 +79,48 @@ in
     mailerPasswordFile = config.sops.secrets.forgejo.path;
   };
 
+  users.groups.forgejo-runner = { };
+  users.users.forgejo-runner = {
+    isSystemUser = true;
+    group = "forgejo-runner";
+  };
+
+  sops.secrets.forgejo-runner = {
+    sopsFile = ../../secrets/forgejo-runner.yaml;
+    format = "yaml";
+    key = "token";
+  };
+
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;
 
     instances.fili = {
       enable = true;
       name = "forgejo-runner-01";
-      token = "SutcrCJ3ULoE5LBj9Tm8zkvTRDEJCpbvpe7FEJHC";
+      tokenFile = config.sops.secrets.forgejo-runner.path;
       url = "https://git.donsz.nl/";
       labels = [
-        "nixos-latest:docker://nixos/nix"
+        "nix:host"
+        "docker:docker://node:16-bullseye"
+        "ubuntu-latest:docker://node:16-bullseye"
       ];
       settings = { };
+
+      hostPackages = with pkgs; [
+        # default ones
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        wget
+
+        # used in deployments
+        lix
+        openssh
+      ];
     };
   };
 
diff --git a/secrets/forgejo-runner.yaml b/secrets/forgejo-runner.yaml
new file mode 100644
index 0000000..0b886ae
--- /dev/null
+++ b/secrets/forgejo-runner.yaml
@@ -0,0 +1,16 @@
+token: ENC[AES256_GCM,data:QKJOB1yt7GJgJ4YIpptcMywGHFzF7FbZ86Yj587jgTO1elalkJG5Tg==,iv:F5/7z0KMAKnAfz9GU8csNcKavmaP8kI67bdrBNJcSso=,tag:ztDHSDO80NGqfZ9h+F5s5g==,type:str]
+sops:
+    age:
+        - recipient: age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEkxK1VPRTNJSE92YWpO
+            NFJ0cUxHZW9RekFJbEVjcEdFVUJvWWJERUUwClBvU3dhQ29mNXpTQlVFZDg1dHNT
+            NFptZ3ZXWlZvZ3psMWI1d0twQUg5aVUKLS0tIG9sU0NGSUY5ek1ZK1plZDJMcHlj
+            UG03bnlmb0xLNmRvVjczRnMwVUtMQkEK9wRT5YByZf1Fj6eYHmiHQJpbcH+al3yA
+            PC0SiWgl2yNWkonrzoa97ehL64ugdH+HfJboKNGvViiHdIElnHZwrQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-20T09:53:17Z"
+    mac: ENC[AES256_GCM,data:L1wpGzIbHWV/3uv3Xspnxv7QU+WPB7X7DCAKtDXXp6+l81oYQjkj0LXu792dj1IDYuezE6IW4GUb5ptuBiLHRlPrY/TaTCRnkiMfXYjwoOAhoAYufHhUnGsSH3M/YOnLrN3fi1m2yhHBJwUFFDfoqN/5RTzCn4wbEgXg4t4hsQA=,iv:nsqyQthQm5mi5/5LPV8nwACeij48GAdX0Q0nsnYJYYg=,tag:k7q2COG5AYGQCJ9ly5y5AA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2