diff --git a/.forgejo/workflows/demo.yml b/.forgejo/workflows/demo.yml
new file mode 100644
index 0000000..d470cda
--- /dev/null
+++ b/.forgejo/workflows/demo.yml
@@ -0,0 +1,6 @@
+on: [push]
+jobs:
+  test:
+    runs-on: docker
+    steps:
+      - run: echo All Good
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8eb4f4a..f77f682 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,5 +10,6 @@ let
 in
 {
   "forgejo-runner-token.age".publicKeys = [ tbarnouin forgejo ];
+  "../services/forgejo-runner/secrets/forgejo-runner-token.age".publicKeys = [ tbarnouin forgejo ];
 }
 
diff --git a/services/forgejo-runner/default.nix b/services/forgejo-runner/default.nix
index aa56d0c..f7b39fe 100644
--- a/services/forgejo-runner/default.nix
+++ b/services/forgejo-runner/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, agenix, ... }:
 let
   cfg = config.services.vm_forgejo;
 in
@@ -7,12 +7,19 @@ in
     enable = lib.mkEnableOption "Enable Forgejo service";
   };
   config = lib.mkIf cfg.enable {
-    age.secrets.forgejo-runner-token.file = ./secrets/forgejo-runner-token.age;
+    users.users.gitea-runner = {
+      isNormalUser = true;
+    };
+    age.secrets.forgejo-runner-token = {
+      file  = ./secrets/forgejo-runner-token.age;
+      mode  = "0660";
+      owner = "root";
+    };
     services.gitea-actions-runner = {
       package = pkgs.forgejo-actions-runner;
       instances.default = {
         enable = true;
-        name = "monolith";
+        name = "nixos-runner";
         url = "https://git.le43.eu";
         tokenFile = config.age.secrets.forgejo-runner-token.path;
         labels = [
diff --git a/services/forgejo-runner/secrets/forgejo-runner-token.age b/services/forgejo-runner/secrets/forgejo-runner-token.age
index 451b4ed..c44487e 100644
Binary files a/services/forgejo-runner/secrets/forgejo-runner-token.age and b/services/forgejo-runner/secrets/forgejo-runner-token.age differ