diff --git a/modules/services/forgejo/default.nix b/modules/services/forgejo/default.nix
index 4e57c68..ea5f988 100644
--- a/modules/services/forgejo/default.nix
+++ b/modules/services/forgejo/default.nix
@@ -9,6 +9,33 @@ with lib; let
   inherit (config.my.server) domain proxyIP firewallInterface;
   forgejoDomain = "git.${domain}";
   forgejoUrl = "https://${forgejoDomain}";
+
+  # for nix actions runner
+  storeDeps = pkgs.runCommand "store-deps" {} ''
+    mkdir -p $out/bin
+    for dir in ${
+      toString [
+        pkgs.coreutils
+        pkgs.findutils
+        pkgs.gnugrep
+        pkgs.gawk
+        pkgs.git
+        pkgs.nix
+        pkgs.bash
+        pkgs.jq
+        pkgs.nodejs
+        pkgs.devenv
+      ]
+    }; do
+      for bin in "$dir"/bin/*; do
+        ln -s "$bin" "$out/bin/$(basename "$bin")"
+      done
+    done
+
+    # Add SSL CA certs
+    mkdir -p $out/etc/ssl/certs
+    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
+  '';
 in {
   options.my.services.forgejo = {
     enable = mkEnableOption "Forgejo";
@@ -59,33 +86,100 @@ in {
       };
 
       networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
+    })
+    (mkIf cfg.actions.enable {
+      # build image // taken from https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
+      # everything here has no dependencies on the store
+      systemd.services.forgejo-runner-nix-image = {
+        wantedBy = ["multi-user.target"];
+        after = ["podman.service"];
+        requires = ["podman.service"];
+        path = [
+          config.virtualisation.podman.package
+          pkgs.gnutar
+          pkgs.shadow
+          pkgs.getent
+        ];
+        # we also include etc here because the cleanup job also wants the nixuser to be present
+        script = ''
+          set -eux -o pipefail
+          mkdir -p etc/nix
 
+          # Create an unpriveleged user that we can use also without the run-as-user.sh script
+          touch etc/passwd etc/group
+          groupid=$(cut -d: -f3 < <(getent group nixuser))
+          userid=$(cut -d: -f3 < <(getent passwd nixuser))
+          groupadd --prefix $(pwd) --gid "$groupid" nixuser
+          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
+          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
+
+          cat <<NIX_CONFIG > etc/nix/nix.conf
+          accept-flake-config = true
+          experimental-features = nix-command flakes
+          NIX_CONFIG
+
+          cat <<NSSWITCH > etc/nsswitch.conf
+          passwd:    files mymachines systemd
+          group:     files mymachines systemd
+          shadow:    files
+
+          hosts:     files mymachines dns myhostname
+          networks:  files
+
+          ethers:    files
+          services:  files
+          protocols: files
+          rpc:       files
+          NSSWITCH
+
+          # list the content as it will be imported into the container
+          tar -cv . | tar -tvf -
+          tar -cv . | podman import - forgejo-runner-nix
+        '';
+        serviceConfig = {
+          RuntimeDirectory = "forgejo-runner-nix-image";
+          WorkingDirectory = "/run/forgejo-runner-nix-image";
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+
+      users.users.nixuser = {
+        group = "nixuser";
+        description = "Used for running nix ci jobs";
+        home = "/var/empty";
+        isSystemUser = true;
+      };
+      users.groups.nixuser = {};
+
+      # configure the actions runner itself
       age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
       services.gitea-actions-runner = mkIf cfg.actions.enable {
         package = pkgs.unstable.forgejo-runner;
         instances.venus = {
           enable = true;
-          name = "venus";
+          name = "venus-nix-runner";
           url = forgejoUrl;
           settings = {
-            # log = {
-            #   level = "debug";
-            # };
-            options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
+            # options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
             runner = {
               capacity = 5;
               timeout = "45m";
             };
             container = {
-              privileged = true;
-              valid_volumes = ["*"];
-              force_pull = false;
+              options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+              # privileged = true;
+              valid_volumes = [
+                "/nix"
+                "${storeDeps}/bin"
+                "${storeDeps}/etc/ssl"
+              ];
+              # force_pull = false;
               network = "bridge";
             };
           };
           labels = [
-            "debian-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
-            "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
+            "nix:docker://forgejo-runner-nix"
           ];
           tokenFile = config.age.secrets.forgejoActions.path;
         };