diff --git a/secrets/gitea-runner-gospel.age b/secrets/gitea-runner-gospel.age
new file mode 100644
index 0000000..c902be2
Binary files /dev/null and b/secrets/gitea-runner-gospel.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e2ad489..b9696db 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,4 +17,5 @@ in {
   "teslamate_mqtt.age".publicKeys = [users.me machines.pi4 machines.node machines.gospel];
   "teslamate_encryption.age".publicKeys = [users.me machines.node machines.gospel];
   "hydra-aws-creds.age".publicKeys = [users.me machines.gospel];
+  "gitea-runner-gospel.age".publicKeys = [users.me machines.gospel];
 }
diff --git a/systems/x86_64-linux/gospel/default.nix b/systems/x86_64-linux/gospel/default.nix
index 02c35c3..bc8ffb3 100644
--- a/systems/x86_64-linux/gospel/default.nix
+++ b/systems/x86_64-linux/gospel/default.nix
@@ -9,6 +9,7 @@
   ];
 
   age.secrets.cf_dns_kilonull.file = ../../../secrets/cf_dns_kilonull.age;
+  age.secrets.gitea-runner-gospel.file = ../../../secrets/gitea-runner-gospel.age;
 
   aa = {
     nix.enable = true;
@@ -62,6 +63,20 @@
     system.monitoring.enable = true;
   };
 
+  services.gitea-actions-runner.instances = {
+    gospel = {
+      enable = true;
+      name = config.networking.hostName;
+      url = "https://gitea.kilonull.com";
+      tokenFile = config.age.secrets.gitea-runner-gospel.path;
+      labels = [
+        "ubuntu-latest:docker://node:16-bullseye"
+        "ubuntu-22.04:docker://node:16-bullseye"
+        "ubuntu-20.04:docker://node:16-bullseye"
+        "ubuntu-18.04:docker://node:16-buster"
+      ];
+    };
+  };
   virtualisation = {
     libvirtd.enable = true;