diff --git a/hosts/lucent-firepit/webapps/default.nix b/hosts/lucent-firepit/webapps/default.nix
index 0b9ca5a..a0f9617 100644
--- a/hosts/lucent-firepit/webapps/default.nix
+++ b/hosts/lucent-firepit/webapps/default.nix
@@ -28,6 +28,7 @@ in {
           enable = true;
           domain = "git.oat.zone";
           port = 3000;
+          enableActions = true;
         };
 
         matrix.conduit = {
diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix
index 4f79b06..b79cedf 100644
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@@ -21,9 +21,15 @@ in {
       type = types.package;
       default = pkgs.unstable.forgejo;
     };
+    enableActions = mkOption {
+      type = types.bool;
+      default = false;
+    };
   };
 
   config = mkIf cfg.enable {
+    virtualisation.docker.enable = cfg.enableActions;
+  
     services = {
       gitea = {
         enable = true;
@@ -44,9 +50,22 @@ in {
             HTTP_PORT = cfg.port;
             ROOT_URL = "https://${cfg.domain}/";
           };
+          "actions" = {
+            ENABLED = cfg.enableActions;
+          };
         }];
       };
 
+      gitea-actions-runner = mkIf cfg.enableActions {
+        instances."#{config.networking.hostName}" = {
+          enable = true;
+          name = "ci";
+          url = "https://${cfg.domain}/";
+          labels = []; # use the packaged instance list
+          token = removeSuffix "\n" (builtins.readFile "/etc/forgejo-runner-token");
+        };
+      };
+
       nginx.virtualHosts."${cfg.domain}" = {
         forceSSL = true;
         enableACME = true;