diff --git a/flake.nix b/flake.nix
index 02472df..2bda38f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -70,6 +70,23 @@
             }
           ];
         };
+        forgejo-runner = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            agenix.nixosModules.default
+            "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
+            "${inputs.self}/services"
+            {
+              networking.hostName = "forgejo-runner";
+              services.vm_forgejo = {
+                enable = true;
+              };
+              services.lxc = {
+                enable = true;
+              };
+            }
+          ];
+        };
         jellyfin = nixpkgs.lib.nixosSystem {
           inherit system;
           modules = [
diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix
index 5ee889f..e62bfea 100644
--- a/services/minimalConfig/default.nix
+++ b/services/minimalConfig/default.nix
@@ -28,6 +28,7 @@
     options = "--delete-older-than 7d";
   };
 
+  age.secrets.initialPassword.file  = ./secrets/initialPassword.age;
   security.sudo.wheelNeedsPassword = false;
   users = {
     users.tbarnouin = {
@@ -38,6 +39,7 @@
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr"
       ];
+      initialPassword = config.age.initialPassword.path;
     };
     users.root = {
       openssh.authorizedKeys.keys = [