diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index 2513cd8..ddb276d 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -4,9 +4,4 @@ jobs:
     runs-on: native
     steps:
       - uses: actions/checkout@v4
-      - run: echo $PATH
-      - run: export PATH=$PATH:/run/current-system/sw/bin
-      - run: echo $PATH
-      - run: echo $PWD
-      - run: ls -la
       - run: nix flake check
diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix
index 872228e..f781c19 100644
--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@@ -9,6 +9,7 @@
     ../../modules
 
     ./service-forgejo.nix
+    ./service-forgejo-runner.nix
     ./service-hedgedoc.nix
     ./service-photoprism.nix
     ./service-taskserver.nix
diff --git a/machines/orbi/service-forgejo-runner.nix b/machines/orbi/service-forgejo-runner.nix
new file mode 100644
index 0000000..2e4eabc
--- /dev/null
+++ b/machines/orbi/service-forgejo-runner.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, utils, ... }:
+let inherit (utils) escapeSystemdPath;
+in
+{
+
+  virtualisation = {
+    # docker.enable = true;
+    podman.enable = true;
+  };
+
+  #nix.settings.trusted-users = [ "root" "gitea-runner"];
+  nix.settings.allowed-users = [ "*" "gitea-runner" ];
+
+  users.users.gitea-runner = {
+    isSystemUser = true;
+    group = "gitea-runner";
+  };
+  users.groups.gitea-runner = { };
+
+  clanCore.facts.services.gitea-runner = {
+    secret."gitea-runner.token" = { };
+    generator = {
+      prompt = "please enter your gitea-runner password";
+      path = with pkgs; [ coreutils ];
+      script = ''
+        echo "$prompt_value" > "$secrets"/gitea-runner.token
+      '';
+    };
+  };
+
+  systemd.services."gitea-runner-${escapeSystemdPath "git.ingolf-wagner.de"}" = {
+    serviceConfig = {
+      DynamicUser = lib.mkForce false;
+    };
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances."git.ingolf-wagner.de" = {
+      enable = true;
+      hostPackages = [
+        pkgs.bash
+        pkgs.coreutils
+        pkgs.curl
+        pkgs.gawk
+        pkgs.gitMinimal
+        pkgs.gnused
+        pkgs.nodejs
+        pkgs.wget
+        pkgs.nix
+      ];
+      url = "https://git.ingolf-wagner.de";
+      tokenFile = config.clanCore.facts.services.gitea-runner.secret."gitea-runner.token".path;
+      name = "fick_deine_mudda";
+      labels = [
+        # provide a debian base with nodejs for actions
+        #"debian-latest:docker://node:18-bullseye"
+        # fake the ubuntu name, because node provides no ubuntu builds
+        #"ubuntu-latest:docker://node:18-bullseye"
+        # provide native execution on the host
+        "native:host"
+      ];
+    };
+  };
+
+}