diff --git a/infra/common/nixos/default.nix b/infra/common/nixos/default.nix
index 54b1dff3..71b08426 100644
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@@ -23,4 +23,9 @@ in
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
+
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
 }
diff --git a/infra/common/proxmox-qemu-vm.nix b/infra/common/proxmox-qemu-vm.nix
index 06d05e87..b100a6d5 100644
--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@@ -6,11 +6,6 @@
   imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
 
   boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-
     initrd = {
       availableKernelModules = [
         "ata_piix"
diff --git a/keys/systems/forgejo-ci.pub b/keys/systems/forgejo-ci.pub
new file mode 100644
index 00000000..d783c4b6
--- /dev/null
+++ b/keys/systems/forgejo-ci.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A
diff --git a/machines/dev/forgejo-ci/default.nix b/machines/dev/forgejo-ci/default.nix
new file mode 100644
index 00000000..569cbb4b
--- /dev/null
+++ b/machines/dev/forgejo-ci/default.nix
@@ -0,0 +1,66 @@
+{
+  lib,
+  ...
+}:
+{
+  _class = "nixops4Resource";
+
+  # XXX this needs an SSH config entry `forgejo-ci` to locate and access the machine. also needs `HostKeyAlias`.
+  ssh.host = lib.mkForce "forgejo-ci";
+
+  fediversityVm = {
+    domain = "procolix.com";
+
+    ipv4 = {
+      interface = "enp1s0f0";
+      address = "192.168.201.65";
+      prefixLength = 24;
+      gateway = "192.168.201.1";
+    };
+    ipv6.enable = false;
+  };
+
+  nixos.module =
+    {
+      config,
+      lib,
+      ...
+    }:
+    let
+      inherit (lib) mkDefault mkForce;
+    in
+    {
+      _class = "nixos";
+
+      imports = [
+        ./forgejo-actions-runner.nix
+      ];
+
+      hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
+
+      networking = {
+        nftables.enable = mkForce false;
+        hostId = "1d6ea552";
+      };
+
+      ## NOTE: This is a physical machine, so is not covered by disko
+      fileSystems."/" = {
+        device = "rpool/root";
+        fsType = "zfs";
+      };
+
+      fileSystems."/home" = {
+        device = "rpool/home";
+        fsType = "zfs";
+      };
+
+      fileSystems."/boot" = {
+        device = "/dev/disk/by-uuid/50B2-DD3F";
+        fsType = "vfat";
+        options = [
+          "fmask=0077"
+          "dmask=0077"
+        ];
+      };
+    };
+}
diff --git a/machines/dev/forgejo-ci/forgejo-actions-runner.nix b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
new file mode 100644
index 00000000..bb6928cc
--- /dev/null
+++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
@@ -0,0 +1,47 @@
+{ pkgs, config, ... }:
+
+{
+  _class = "nixos";
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+
+    instances.default = {
+      enable = true;
+
+      name = config.networking.fqdn;
+      url = "https://git.fediversity.eu";
+      tokenFile = config.age.secrets.forgejo-runner-token.path;
+
+      settings = {
+        log.level = "info";
+        runner = {
+          file = ".runner";
+          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
+          capacity = 1;
+          timeout = "3h";
+          insecure = false;
+          fetch_timeout = "5s";
+          fetch_interval = "2s";
+        };
+      };
+
+      ## This runner supports Docker (with a default Ubuntu image) and native
+      ## modes. In native mode, it contains a few default packages.
+      labels = [
+        "docker:docker://node:16-bullseye"
+        "native:host"
+      ];
+
+      hostPackages = with pkgs; [
+        bash
+        git
+        nix
+        nodejs
+      ];
+    };
+  };
+
+  ## For the Docker mode of the runner.
+  virtualisation.docker.enable = true;
+}
diff --git a/machines/machines.md b/machines/machines.md
index fd3d6978..72204328 100644
--- a/machines/machines.md
+++ b/machines/machines.md
@@ -11,5 +11,6 @@ Machine | Proxmox | Description
 [`fedi201`](./dev/fedi201) | fediversity | FediPanel
 [`vm02116`](./dev/vm02116) | procolix | Forgejo
 [`vm02187`](./dev/vm02187) | procolix | Wiki
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 
 This table excludes all machines with names starting with `test`.
diff --git a/machines/machines.md.sh b/machines/machines.md.sh
index a095ed82..c5584b4b 100644
--- a/machines/machines.md.sh
+++ b/machines/machines.md.sh
@@ -37,6 +37,7 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
 done
 
 cat <<\EOF
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 
 This table excludes all machines with names starting with `test`.
 EOF
diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age
index 7b99e673..82e8efcb 100644
Binary files a/secrets/forgejo-runner-token.age and b/secrets/forgejo-runner-token.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 167234d4..88d1bb03 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -26,7 +26,7 @@ concatMapAttrs
     {
       forgejo-database-password = [ vm02116 ];
       forgejo-email-password = [ vm02116 ];
-      forgejo-runner-token = [ ];
+      forgejo-runner-token = [ forgejo-ci ];
       panel-secret-key = [ fedi201 ];
       panel-ssh-key = [ fedi201 ];
       wiki-basicauth-htpasswd = [ vm02187 ];