diff --git a/.forgejo/workflows/update.yml b/.forgejo/workflows/update.yml
index ba11d3e..156e0ca 100644
--- a/.forgejo/workflows/update.yml
+++ b/.forgejo/workflows/update.yml
@@ -7,7 +7,7 @@ on:
  
 jobs:
   update:
-    runs-on: ubuntu-latest
+    runs-on: fred-nix
     permissions:
       contents: write
  
diff --git a/common.nix b/common.nix
index 8735c6d..a324269 100644
--- a/common.nix
+++ b/common.nix
@@ -35,6 +35,7 @@
     ./services/adguard.nix
     ./services/router.nix
     ./services/crowdsec.nix
+    ./services/forgejo-runner.nix
   ];
 
   ### Make build time quicker
diff --git a/services/forgejo-runner.nix b/services/forgejo-runner.nix
new file mode 100644
index 0000000..dd14137
--- /dev/null
+++ b/services/forgejo-runner.nix
@@ -0,0 +1,31 @@
+# services/forgejo-runner.nix — self-hosted Forgejo Actions runner.
+#
+# Registers with forg.gregersen.it and runs jobs in Docker containers.
+# Workflows in this repo target `runs-on: fred-nix`, which maps to the
+# catthehacker ubuntu image (the de-facto compatibility image for running
+# GitHub-style workflows on self-hosted runners).
+#
+# The runner registration token is one-time-use: it must exist at the path
+# below on first activation, after which the runner stores its own auth in
+# /var/lib/gitea-runner. To register:
+#
+#   echo 'YOUR_REGISTRATION_TOKEN' | sudo tee /var/secrets/forgejo-runner-token
+#   sudo chmod 600 /var/secrets/forgejo-runner-token
+{ config, lib, pkgs, ... }:
+{
+  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
+
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "mediaserver";
+        url = "https://forg.gregersen.it";
+        tokenFile = "/var/secrets/forgejo-runner-token";
+        labels = [
+          "fred-nix:docker://catthehacker/ubuntu:act-latest"
+        ];
+      };
+    };
+  };
+}