diff --git a/hosts/nixedo/secrets.nix b/hosts/nixedo/secrets.nix
index c3fa36d6..66281777 100644
--- a/hosts/nixedo/secrets.nix
+++ b/hosts/nixedo/secrets.nix
@@ -2,6 +2,7 @@
   age.secrets = {
     cloudflare.file = ../../secrets/cloudflare.age;
     cloudflared.file = ../../secrets/cloudflared-credentials.age;
+    forgejo-runner-token.file = ../../secrets/forgejo-runner-token.age;
     tubearchivist-env.file = ../../secrets/tubearchivist-env.age;
   };
 }
diff --git a/hosts/nixedo/services/default.nix b/hosts/nixedo/services/default.nix
index 40fdd42d..a7dd42c3 100644
--- a/hosts/nixedo/services/default.nix
+++ b/hosts/nixedo/services/default.nix
@@ -1,3 +1,5 @@
+{ config, pkgs, ... }:
+
 {
   imports = [
     ./homepage
@@ -9,4 +11,15 @@
   services = {
     tailscale.enable = true;
   };
+
+  services.gitea-actions-runner.instances.default = {
+    enable = true;
+
+    labels = [
+      "nixos-host:host"
+    ];
+    name = config.networking.hostName;
+    token = ''$(${pkgs.coreutils}/bin/cat ${config.age.secrets.forgejo-runner-token.path}')'';
+    url = config.services.forgejo.settings.server.ROOT_URL;
+  };
 }
diff --git a/secrets.nix b/secrets.nix
index 59104be0..fed13e5d 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -20,6 +20,10 @@ in
     hosts.nixedo
   ] ++ [ users.opdavies ];
 
+  "secrets/forgejo-runner-token.age".publicKeys = [
+    hosts.nixedo
+  ] ++ [ users.opdavies ];
+
   "secrets/tubearchivist-env.age".publicKeys = [
     hosts.nixedo
     hosts.t480
diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age
new file mode 100644
index 00000000..7d90fbe7
Binary files /dev/null and b/secrets/forgejo-runner-token.age differ