diff --git a/config/services/default.nix b/config/services/default.nix
index 5d0bc35..5480ae9 100644
--- a/config/services/default.nix
+++ b/config/services/default.nix
@@ -4,6 +4,7 @@
     ./atuin.nix
     ./containers.nix
     ./forgejo.nix
+    ./forgejo-runner.nix
     ./freshrss.nix
     ./geoipupdate.nix
     ./minio.nix
diff --git a/config/services/forgejo-runner.nix b/config/services/forgejo-runner.nix
new file mode 100644
index 0000000..eadfdae
--- /dev/null
+++ b/config/services/forgejo-runner.nix
@@ -0,0 +1,25 @@
+{ config, pkgs, ... }:
+{
+  networking.firewall.trustedInterfaces = [ "podman+" ];
+
+  virtualisation.podman = {
+    enable = true;
+    dockerSocket.enable = true;
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      ipv6_enabled = true;
+    };
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.unstable.forgejo-runner;
+    instances.main = {
+      enable = true;
+      name = "main";
+      url = config.services.forgejo.settings.server.ROOT_URL;
+      tokenFile = config.age.secrets."services/forgejo/runner-token".path;
+      labels = [ "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest" ];
+      settings.container.options = "--add-host=${config.services.forgejo.settings.server.DOMAIN}:host-gateway";
+    };
+  };
+}
diff --git a/config/services/forgejo.nix b/config/services/forgejo.nix
index 5fe9a0b..75db013 100644
--- a/config/services/forgejo.nix
+++ b/config/services/forgejo.nix
@@ -116,23 +116,6 @@ in
     };
   };
 
-  virtualisation.podman = {
-    enable = true;
-    dockerSocket.enable = true;
-    defaultNetwork.settings.dns_enabled = true;
-  };
-  services.gitea-actions-runner = {
-    package = pkgs.unstable.forgejo-runner;
-    instances.main = {
-      enable = true;
-      name = "main";
-      url = config.services.forgejo.settings.server.ROOT_URL;
-      tokenFile = config.age.secrets."services/forgejo/runner-token".path;
-      labels = [ "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest" ];
-      settings.container.options = "--add-host=code.winston.sh:host-gateway";
-    };
-  };
-
   services.nginx.virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
     forceSSL = true;
     enableACME = false;