diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index 9d2b246a..8de9dd19 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -167,6 +167,10 @@ in
 {
   _class = "flake";
 
+  # NOTE: `forgejo-ci`, being a physical machine and not a Proxmox VM, gets
+  # custom treatment.
+  imports = [ ./forgejo-ci/flake-part.nix ];
+
   ## - Each normal or test machine gets a NixOS configuration.
   ## - Each normal or test machine gets a VM options entry.
   ## - Each normal machine gets a deployment.
diff --git a/infra/forgejo-ci/flake-part.nix b/infra/forgejo-ci/flake-part.nix
new file mode 100644
index 00000000..09978803
--- /dev/null
+++ b/infra/forgejo-ci/flake-part.nix
@@ -0,0 +1,58 @@
+{
+  lib,
+  inputs,
+  sources,
+  keys,
+  secrets,
+  ...
+}:
+
+## NOTE: Hackish solution mostly taken from `../common/resource.nix`.
+## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code
+## should be integrated with the code for other machines (in particular VMs).
+
+let
+  inherit (lib) attrValues elem;
+  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
+  inherit (lib.strings) removeSuffix;
+
+  hostPublicKey = keys.systems.forgejo-ci;
+in
+{
+  _class = "flake";
+
+  nixops4Deployments.forgejo-ci =
+    { providers, ... }:
+    {
+      providers.local = inputs.nixops4.modules.nixops4Provider.local;
+
+      resources.forgejo-ci = {
+        type = providers.local.exec;
+        imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
+
+        ssh = {
+          host = "forgejo-ci";
+          hostPublicKey = hostPublicKey;
+        };
+
+        nixpkgs = inputs.nixpkgs;
+
+        nixos.module = {
+          imports = with sources; [
+            "${agenix}/modules/age.nix"
+            "${disko}/module.nix"
+            ./configuration.nix
+          ];
+
+          age.secrets = concatMapAttrs (
+            name: secret:
+            optionalAttrs (elem hostPublicKey secret.publicKeys) {
+              ${removeSuffix ".age" name}.file = secrets.rootPath + "secrets/${name}";
+            }
+          ) secrets.mapping;
+
+          users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+        };
+      };
+    };
+}
diff --git a/keys/systems/forgejo-ci.pub b/keys/systems/forgejo-ci.pub
new file mode 100644
index 00000000..d783c4b6
--- /dev/null
+++ b/keys/systems/forgejo-ci.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A
diff --git a/machines/machines.md b/machines/machines.md
index e2c49c0c..fd4c49af 100644
--- a/machines/machines.md
+++ b/machines/machines.md
@@ -11,5 +11,6 @@ Machine | Proxmox | Description
 [`fedi201`](./fedi201) | fediversity | FediPanel
 [`vm02116`](./vm02116) | procolix | Forgejo
 [`vm02187`](./vm02187) | procolix | Wiki
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 
 This table excludes all machines with names starting with `test`.
diff --git a/machines/machines.md.sh b/machines/machines.md.sh
index d523e127..fed3e2f0 100644
--- a/machines/machines.md.sh
+++ b/machines/machines.md.sh
@@ -37,6 +37,7 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
 done
 
 cat <<\EOF
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 
 This table excludes all machines with names starting with `test`.
 EOF