diff --git a/modules/servers/per-server/freyja/default.nix b/modules/servers/per-server/freyja/default.nix
index 2d49c50..ba6f547 100644
--- a/modules/servers/per-server/freyja/default.nix
+++ b/modules/servers/per-server/freyja/default.nix
@@ -9,6 +9,7 @@ in {
   imports =
     [
       ../../common
+      ./secrets.nix
     ]
     ++ hostModules;
 }
diff --git a/modules/servers/per-server/freyja/secrets.nix b/modules/servers/per-server/freyja/secrets.nix
new file mode 100644
index 0000000..f3e7d9e
--- /dev/null
+++ b/modules/servers/per-server/freyja/secrets.nix
@@ -0,0 +1,9 @@
+{
+  age = {
+    secrets = {
+      forgejo-runner-token = {
+        file = ../../../../secrets/forgejo-runner-token.age;
+      };
+    };
+  };
+}
diff --git a/modules/servers/per-server/freyja/services/forgejo-runner.nix b/modules/servers/per-server/freyja/services/forgejo-runner.nix
new file mode 100644
index 0000000..07e7786
--- /dev/null
+++ b/modules/servers/per-server/freyja/services/forgejo-runner.nix
@@ -0,0 +1,25 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances.default = {
+      enable = true;
+      name = "monolith";
+      url = "https://git.cronyakatsuki.xyz";
+      # Obtaining the path to the runner token file may differ
+      # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+      tokenFile = config.age.secrets.forgejo-runner-token.path;
+      labels = [
+        "ubuntu-latest:docker://node:16-bullseye"
+        "ubuntu-22.04:docker://node:16-bullseye"
+        "ubuntu-20.04:docker://node:16-bullseye"
+        "ubuntu-18.04:docker://node:16-buster"
+        ## optionally provide native execution on the host:
+        "native:host"
+      ];
+    };
+  };
+}
diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age
new file mode 100644
index 0000000..106326e
--- /dev/null
+++ b/secrets/forgejo-runner-token.age
@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 2P4nKw 6CXlYKfRELtM9lE3HPwyX8paUEqdq1F/YxB/rHtv/Hw
+MGDd7G/xGGEEJ4FLbfsZJIaUsznwRZZoQ7giVoafKEY
+-> ssh-ed25519 l/ODWA xEpu4YLSwnb7bp6hLLlBHjmAs9GAFE01kcyhpD4ooWA
+mqYAWi0HKyvgtseJ2f7g4rW0G+LHBVH31RG86UMoolI
+-> ssh-ed25519 7+5K3Q S7AJuGnSUO/TZ40fWnmSJN02oR1c84UnZ0cRPLT62Hc
+0IKCOawbLeXBHsdVDk9KSDUT3AwB/0vsRitLn7RJ6Es
+-> ssh-ed25519 Ow0TGw 2stE3ES2jl9n6t86+nyuqZ2Yeh0C2XWmXr5+HNZ5H2Y
+3C3FZ6jVUyJ1Af6P6kZZYmWiXJ4Gd4V/Az8dKk1IbAg
+-> ssh-ed25519 cEINMA AF8fxir8WyhwNPkcjILCeQkrpcMG0oXEF0u15RpSFF0
+F9MlXYcPuoidHLrQzCOkgeQVc40h8t2aCP0qdYWuVpc
+-> ssh-ed25519 qbMKrQ JzQh1uPdITf0VdsgCH4UYkavfoncOmobgEp3N2IehG4
+7vh/sGnFBIxckxHTnjNaTAAXINH/xPeb7fKX0R2wgPg
+-> ssh-ed25519 Z0mAzw TVO8g5CaaJS+/sn/fxgDPbMy9JNMUrgHhW3TgzyfKhg
+QmfjgU10CJebV1evV5myZHZ3v0J6Qf6Vp2Iv1OkNg7c
+-> ssh-ed25519 GNZYRg b5FwNS2yEFYTP6XshP3w3h7ofiRRuVAHJJGqUxWy8Xo
+g+/1/e6CAhA96qK55jF3poCUuKV0BbecSb6bcKE9FD4
+-> ssh-ed25519 fd/ZLQ STF8rS7Kb3ZXHVteSEl5HDKceqgIgKDbSOYU7sA2bzw
+YxWXgCdzSvgBShTUMH1CZnxKAG1kzNoObW80cXyfNq0
+-> ssh-ed25519 zQBiZw +iRG/N5bBSGflrb5Zi4wzNmq7GTt/O/A9xHwGs12L1I
+p12J0VmSTit+yPq0AUjF0+6laCSeHte5MTNBqhIkYW8
+--- heq+uzmYk2bdNLlLN1sqdH1Odjch/EYHk07ZZmFVtZE
+C�{{��߸ϴ�{	�h8���'�n��Z�t��9�/�.k�pkWf<<W�vͅ����F�G	�/B��x��5�Qr
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ebc8acb..c1093fa 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -46,4 +46,5 @@ in {
   "linkwarden.age".publicKeys = systems ++ users;
   "linkwarden-db.age".publicKeys = systems ++ users;
   "paperless-ngx.age".publicKeys = systems ++ users;
+  "forgejo-runner-token.age".publicKeys = systems ++ users;
 }