diff --git a/secrets/mcp.yaml b/secrets/mcp.yaml
index 451e4ff..6852f8c 100644
--- a/secrets/mcp.yaml
+++ b/secrets/mcp.yaml
@@ -1,4 +1,6 @@
-gitea_db_password: ENC[AES256_GCM,data:G2YqiDk0msBRjUJkoPxWmayQ9dI=,iv:FsojIJIi61K7rD2VULDgIx6uSYX3iDiA6W744HlgHl0=,tag:BlmsM7LZHnBCKtfuqlhoKA==,type:str]
+gitea:
+    db_password: ENC[AES256_GCM,data:12FYMsc8HdTMdPegoPLCidaHMMU=,iv:Uat0g7Nvota1yvj6InIAo7Dzv3cBtVVzlRa1d09gx1s=,tag:sFavpAHW0k/Fv1uzPVuGcA==,type:str]
+    registration_token: ENC[AES256_GCM,data:zYfFATOuqACrGUyt6xPhiisz293uomKc6BLPKz8I+MFFBrBdzT9FqA==,iv:gyp2WsUHMMrNBmssWGPLSJmZqlAtopc6HeAtX9+oCXs=,tag:mLEPTapn7OM3bm5c9TKB0A==,type:str]
 bookstack_app_key: ENC[AES256_GCM,data:N79JVlQSoVCXOsIHCxd19HFm6LkrYyXQu/xWenEdUlQWqwZEi3PuHXG7fQgvzQY4KI7S,iv:cd2l2eOv+wAJ5sih3YhHgQTdy1qrvaIsoHcywOnHuYM=,tag:5QvCHlQX8wUz3tI2NXl+8A==,type:str]
 bookstack_db: ENC[AES256_GCM,data:m8fGgAfmJu1rEaxmTVH4FfBhyiU=,iv:OnBT/6sp9zmcJ1+kBmdmvaE630hifxBpvKnu3XrVXcE=,tag:SSVQcYkAymlbFOnf0MB6KA==,type:str]
 mariadb_root_password: ENC[AES256_GCM,data:p965ZhFQqqX+Ub1yhgklVYlBH6A=,iv:qC5WwTvZGvlbAkYiv35xHizMYAnP0V0Vw79EkvL32wQ=,tag:gOJQvHeOC9turFKOMQ9DNg==,type:str]
@@ -33,8 +35,8 @@ sops:
             by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw
             vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-24T23:16:22Z"
-    mac: ENC[AES256_GCM,data:NY9uhBwukENyny0lSnYDrdRDlAm5o0kGBs8Tes4x3/dofWibl9HqHobilg4qrLFzwCgQsgyPAFoRKV7ZVQ25YHjXM4YnoFVmUASfyTfoejWet/J3HwOO1xNkX8N6iYWJRYHOWaKMm46ZvkjmqAB0N6L7Z/8Uk7b09HoAxJ3aVHA=,iv:kI3kv0e9kcc8cb4H+YCnQYs7qDbucQYo264lz4zR/2E=,tag:ELqxtawXwhEPBncDz3REVA==,type:str]
+    lastmodified: "2025-04-28T23:33:42Z"
+    mac: ENC[AES256_GCM,data:cZkRcGV5/CPPVUdTDekwC8UjO6K348sBsS7NvR8wnoXS0AmSZsqN594nkvoc0VccM55Hwnm4jZxY56OV+UFMya1IRIkTo6LJRb88/CgZ8bjz30ACe33FKgJfCugimUDKsekbgNX1UFg1DVbqYK9/N4fcEBSxV3Xmzy5QGnQ/8KU=,iv:EprUHNtU5w7569ADMOxw+izDAL22A5OrB12T9iyHxKU=,tag:kRvyUEZwd/RttKdFOY2bJQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
diff --git a/system/hosts/mcp/containers/gitea.nix b/system/hosts/mcp/containers/gitea.nix
index 165d968..6503414 100644
--- a/system/hosts/mcp/containers/gitea.nix
+++ b/system/hosts/mcp/containers/gitea.nix
@@ -1,24 +1,40 @@
 { config, ... }:
 let 
-  inherit (import ./lib.nix config) hostRule blazestar;
+  inherit (import ./lib.nix config) mkContainer blazestar;
 in
 {
-  virtualisation.oci-containers.containers.gitea = {
+  sops.secrets = {
+    "gitea/db_password" = {
+      restartUnits = [ "podman-gitea.service" ];
+    };
+    "gitea/registration_token" = {
+      restartUnits = [ "podman-gitea-runner.service" ];
+    };
+  };
+
+  sops.templates."gitea.env".content = ''
+    GITEA__database__DB_TYPE="postgres"
+    GITEA__database__HOST="db"
+    GITEA__database__NAME="gitea"
+    GITEA__database__USER="gitea"
+    GITEA__database__PASSWD="${config.sops.placeholder."gitea/db_password"}"
+  '';
+
+  virtualisation.oci-containers.containers.gitea = mkContainer {
     image = "gitea/gitea:latest-rootless";
-    autoStart = true;
     dependsOn = [
       "db"
     ];
-    extraOptions = [
-      "-l=traefik.enable=true"
-      "-l=traefik.http.routers.gitea.rule=${hostRule "git" blazestar}"
-      "-l=traefik.http.services.gitea.loadbalancer.server.port=3000"
-      "-l=homepage.group=Apps"
-      "-l=homepage.name=Gitea"
-      "-l=homepage.icon=gitea.png"
-      "-l=homepage.href=https://git.${blazestar}"
-      "-l=homepage.description=Git Server"
-    ];
+    hostName = "git";
+    domain = blazestar;
+    public = true;
+    port = 3000;
+    homepageOpts = {
+      name = "Gitea";
+      icon = "gitea.png";
+      description = "Git Server";
+      group = "Apps";
+    };
     ports = [
       "2222:2222"
     ];
@@ -36,14 +52,21 @@ in
     ];
   };
 
-  sops.secrets."gitea_db_password" = {
-    restartUnits = [ "podman-gitea.service" ];
-  };
-  sops.templates."gitea.env".content = ''
-    GITEA__database__DB_TYPE="postgres"
-    GITEA__database__HOST="db"
-    GITEA__database__NAME="gitea"
-    GITEA__database__USER="gitea"
-    GITEA__database__PASSWD="${config.sops.placeholder."gitea_db_password"}"
+  sops.templates."gitea-runner.env".content = ''
+    GITEA_RUNNER_NAME=MCP
+    GITEA_INSTANCE_URL=https://git.${blazestar}
+    GITEA_RUNNER_REGISTRATION_TOKEN=${config.sops.placeholder."gitea/registration_token"}
   '';
+
+  virtualisation.oci-containers.containers.gitea-runner = {
+    image = "gitea/act_runner:latest";
+    autoStart = true;
+    environmentFiles = [
+      config.sops.templates."gitea-runner.env".path
+    ];
+    volumes = [
+      # The runner will spawn new containers to run the actions
+      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+    ];
+  };
 }