diff --git a/components/virtualisation/docker.nix b/components/virtualisation/docker.nix
index ced626d..c28c176 100644
--- a/components/virtualisation/docker.nix
+++ b/components/virtualisation/docker.nix
@@ -15,6 +15,7 @@ with lib;
   config = mkIf config.components.virtualisation.docker.enable {
 
     virtualisation.docker.enable = true;
+    virtualisation.docker.extraPackages = [ pkgs.zfs ];
 
   };
 
diff --git a/components/virtualisation/podman.nix b/components/virtualisation/podman.nix
index 6907eb7..c2b373e 100644
--- a/components/virtualisation/podman.nix
+++ b/components/virtualisation/podman.nix
@@ -12,13 +12,20 @@ with lib;
     default = config.components.virtualisation.enable;
   };
 
-  config = mkIf config.components.virtualisation.podman.enable {
+  config = mkMerge [
+    (mkIf config.components.virtualisation.podman.enable {
 
-    virtualisation.podman.enable = true;
+      virtualisation.podman.enable = true;
 
-    # make sure /var/lib/containers/storage is a zfs dataset
-    virtualisation.podman.extraPackages = [ pkgs.zfs ];
+      # make sure /var/lib/containers/storage is a zfs dataset
+      virtualisation.podman.extraPackages = [ pkgs.zfs ];
 
-  };
+    })
+    (mkIf (config.components.virtualisation.podman.enable && (!config.virtualisation.docker.enable)) {
+      virtualisation.podman.dockerCompat = true;
+      virtualisation.podman.dockerSocket.enable = true;
+    })
+
+  ];
 
 }
diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix
index ba52518..49db785 100644
--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@@ -56,6 +56,8 @@
   components.network.enable = true;
   components.network.nginx.landingpage.enable = false;
   components.network.wifi.enable = false;
+  components.virtualisation.enable = true; # we only enable this stuff where we need it explicitly
+  components.virtualisation.podman.enable = false;
 
   features.network.fail2ban.enable = true;
   features.boot.ssh.enable = true;
diff --git a/machines/orbi/service-forgejo-runner.nix b/machines/orbi/service-forgejo-runner.nix
index 9f198b4..a8a4d62 100644
--- a/machines/orbi/service-forgejo-runner.nix
+++ b/machines/orbi/service-forgejo-runner.nix
@@ -10,9 +10,12 @@ let
 in
 {
 
-  virtualisation.podman.enable = true;
+  # note:
+  # I can't for some reason use any run-on: ubuntu-latest (docker container) to build docker contains,
+  # I have to use native and run the docker commands via `run: docker build ...`.
+  #
+  # `run-on: ubuntu-latest` and `docker/login-action` or `docker/build-and-push-action` does not work.
 
-  #nix.settings.trusted-users = [ "root" "gitea-runner"];
   nix.settings.allowed-users = [
     "*"
     "gitea-runner"
@@ -39,6 +42,10 @@ in
     serviceConfig = {
       DynamicUser = lib.mkForce false;
     };
+    environment = {
+      # make docker build output readable
+      BUILDKIT_PROGRESS = "plain";
+    };
   };
 
   services.gitea-actions-runner = {
@@ -49,6 +56,9 @@ in
         runner = {
           timeout = "12h";
         };
+        #container.network = "host";
+        #container.network = "bridge";
+        #container.docker_host = "unix:///var/run/podman/podman.sock";
       };
       hostPackages = [
         pkgs.bash
@@ -61,18 +71,30 @@ in
         pkgs.wget
         pkgs.nix
         pkgs.openssh
+        pkgs.podman
+        pkgs.docker
       ];
       url = "https://git.ingolf-wagner.de";
       tokenFile = config.clan.core.facts.services.gitea-runner.secret."gitea-runner.token".path;
       name = "orbi";
 
       labels = [
+        # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+        # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+        # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
+        # If it's empty when registering, it will ask for inputting labels.
+        # If it's empty when execute `daemon`, will use labels in `.runner` file.
+        "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+        "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
+        "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
+
+        # provide native execution on the host
+        "native:host"
+
         # provide a debian base with nodejs for actions
         #"debian-latest:docker://node:18-bullseye"
         # fake the ubuntu name, because node provides no ubuntu builds
         #"ubuntu-latest:docker://node:18-bullseye"
-        # provide native execution on the host
-        "native:host"
       ];
     };
   };