diff --git a/flake.lock b/flake.lock
index bca9718..de6ad64 100644
--- a/flake.lock
+++ b/flake.lock
@@ -262,11 +262,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1753450574,
-        "narHash": "sha256-+aP5yejjs8Q/ryGO3I7eS/0aMFdkUk8OT1TiMC1uyk4=",
+        "lastModified": 1753458351,
+        "narHash": "sha256-wsZQkEA3YYouRu7wjepetS6rnwLEr00wMpIQsxbZNTU=",
         "ref": "refs/heads/main",
-        "rev": "cf0eec50d087704012bee8cfa0bab39b46b1cde7",
-        "revCount": 24,
+        "rev": "6ce176beb34bfe0ac65131564c1fa3f5d0aca1fe",
+        "revCount": 26,
         "type": "git",
         "url": "https://git.karaolidis.com/karaolidis/nix-secrets.git"
       },
diff --git a/hosts/common/configs/user/gui/vscode/default.nix b/hosts/common/configs/user/gui/vscode/default.nix
index cbb4637..054face 100644
--- a/hosts/common/configs/user/gui/vscode/default.nix
+++ b/hosts/common/configs/user/gui/vscode/default.nix
@@ -63,7 +63,7 @@ in
           "files.trimTrailingWhitespace" = true;
           "git.allowForcePush" = true;
           "git.alwaysSignOff" = true;
-          "git.autofetch" = "all";
+          "git.autofetch" = true;
           "git.blame.editorDecoration.enabled" = true;
           "git.closeDiffOnOperation" = true;
           "git.confirmForcePush" = false;
diff --git a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
index afdb8d3..7e23006 100644
--- a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
@@ -74,6 +74,7 @@ in
           "gitea/internalToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
           "gitea/jwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
           "gitea/lfsJwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+          "gitea/runnerRegistrationToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
           "gitea/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
           "gitea/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
           "gitea/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
@@ -86,6 +87,12 @@ in
 
           gitea-env.content = ''
             GITEA_OAUTH_SECRET=${hmConfig.sops.placeholder."gitea/authelia/password"}
+            GITEA_RUNNER_REGISTRATION_TOKEN=${hmConfig.sops.placeholder."gitea/runnerRegistrationToken"}
+            GITEA_ADMIN_PASSWORD=${hmConfig.sops.placeholder."gitea/admin"}
+          '';
+
+          gitea-act-runner-env.content = ''
+            GITEA_RUNNER_REGISTRATION_TOKEN=${hmConfig.sops.placeholder."gitea/runnerRegistrationToken"}
             GITEA_ADMIN_PASSWORD=${hmConfig.sops.placeholder."gitea/admin"}
           '';
 
@@ -98,6 +105,7 @@ in
               sections = {
                 server = {
                   ROOT_URL = "https://git.karaolidis.com:443/";
+                  LANDING_PAGE = "explore";
 
                   # FIXME: https://github.com/go-gitea/gitea/issues/31112
                   OFFLINE_MODE = false;
@@ -203,6 +211,8 @@ in
         volumes = {
           gitea-postgresql = { };
           gitea = { };
+          gitea-act-runner-data = { };
+          gitea-act-runner-cache = { };
         };
 
         containers = {
@@ -262,6 +272,32 @@ in
             unitConfig.After = [ "sops-nix.service" ];
           };
 
+          gitea-act-runner = {
+            containerConfig = {
+              image = "docker-archive:${selfPkgs.docker-gitea-act-runner}";
+              networks = [ networks.gitea.ref ];
+              volumes =
+                let
+                  uid = builtins.toString config.users.users.${user}.uid;
+                in
+                [
+                  "/run/user/${uid}/podman/podman.sock:/var/run/docker.sock"
+                  "${volumes.gitea-act-runner-data.ref}:/var/lib/gitea-act-runner"
+                  "${volumes.gitea-act-runner-cache.ref}:/tmp/gitea-act-runner"
+                ];
+              environments = {
+                GITEA_INSTANCE_URL = "https://git.karaolidis.com";
+                GITEA_ADMIN_USERNAME = "admin";
+              };
+              environmentFiles = [ hmConfig.sops.templates.gitea-act-runner-env.path ];
+            };
+
+            unitConfig = {
+              After = [ "sops-nix.service" ];
+              Requires = [ "${containers.gitea._serviceName}.service" ];
+            };
+          };
+
           authelia.containerConfig.volumes = [
             "${hmConfig.sops.templates.authelia-gitea.path}:/etc/authelia/conf.d/gitea.yaml:ro"
           ];
diff --git a/packages/default.nix b/packages/default.nix
index 7738f9b..5168560 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -14,6 +14,7 @@
   docker-base = import ./docker/base { inherit pkgs; };
   docker-flaresolverr = import ./docker/flaresolverr { inherit pkgs; };
   docker-gitea = import ./docker/gitea { inherit pkgs; };
+  docker-gitea-act-runner = import ./docker/gitea-act-runner { inherit pkgs; };
   docker-grafana = import ./docker/grafana { inherit pkgs; };
   docker-grafana-image-renderer = import ./docker/grafana-image-renderer { inherit pkgs; };
   docker-jellyfin = import ./docker/jellyfin { inherit pkgs inputs system; };
diff --git a/packages/docker/gitea-act-runner/default.nix b/packages/docker/gitea-act-runner/default.nix
new file mode 100644
index 0000000..24bda35
--- /dev/null
+++ b/packages/docker/gitea-act-runner/default.nix
@@ -0,0 +1,51 @@
+{ pkgs, ... }:
+let
+  entrypoint = pkgs.writeTextFile {
+    name = "entrypoint";
+    executable = true;
+    destination = "/bin/entrypoint";
+    text = builtins.readFile ./entrypoint.sh;
+  };
+
+  runnerConfig = pkgs.writeTextDir "/etc/gitea-act-runner/config.yaml" (
+    builtins.readFile (
+      (pkgs.formats.yaml { }).generate "config.yaml" {
+        runner = {
+          file = "/var/lib/gitea-act-runner/registration";
+          capacity = 4;
+        };
+        cache.dir = "/tmp/gitea-act-runner/";
+        # https://gitea.com/gitea/act_runner/issues/223#issuecomment-743748
+        container.docker_host = "-";
+      }
+    )
+  );
+in
+pkgs.dockerTools.buildImage {
+  name = "gitea-act-runner";
+  fromImage = import ../base { inherit pkgs; };
+
+  copyToRoot = pkgs.buildEnv {
+    name = "root";
+    paths = with pkgs; [
+      entrypoint
+      gitea-actions-runner
+      runnerConfig
+      curl
+      jq
+    ];
+    pathsToLink = [
+      "/bin"
+      "/etc"
+    ];
+  };
+
+  config = {
+    Entrypoint = [ "entrypoint" ];
+    WorkDir = "/var/lib/gitea-act-runner";
+    Volumes = {
+      "/var/lib/gitea-act-runner" = { };
+      "/tmp/gitea-act-runner" = { };
+    };
+  };
+}
diff --git a/packages/docker/gitea-act-runner/entrypoint.sh b/packages/docker/gitea-act-runner/entrypoint.sh
new file mode 100644
index 0000000..fde3627
--- /dev/null
+++ b/packages/docker/gitea-act-runner/entrypoint.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env sh
+
+set -o errexit
+set -o nounset
+
+GITEA_RUNNER_NAME="${GITEA_RUNNER_NAME:-main}"
+
+LOG_PIPE="$(mktemp -u)"
+mkfifo "$LOG_PIPE"
+
+(
+  while IFS= read -r line; do
+    if echo "$line" | grep -qiE 'level=(warn|error|fatal)'; then
+      echo "$line" >&2
+    else
+      echo "$line"
+    fi
+  done < "$LOG_PIPE"
+) &
+
+if [ ! -f /var/lib/gitea-act-runner/registration ]; then
+  GITEA_API="${GITEA_INSTANCE_URL%/}/api/v1"
+
+  auth="Authorization: Basic $(echo -n "$GITEA_ADMIN_USERNAME:$GITEA_ADMIN_PASSWORD" | base64 -w 0)"
+
+  runners="$(curl -sf --retry 10 --retry-connrefused -H "$auth" "$GITEA_API/admin/actions/runners")"
+  old_runner="$(echo "$runners" | jq -r ".runners[] | select(.name == \"$GITEA_RUNNER_NAME\") | .id")"
+
+  if [ -n "$old_runner" ]; then
+    curl -sf -X DELETE -H "$auth" "$GITEA_API/admin/actions/runners/$old_runner"
+  fi
+
+  act_runner --config /etc/gitea-act-runner/config.yaml register \
+    --no-interactive \
+    --instance "$GITEA_INSTANCE_URL" \
+    --token "$GITEA_RUNNER_REGISTRATION_TOKEN" \
+    --name "$GITEA_RUNNER_NAME" \
+    --labels "${GITEA_RUNNER_LABELS:-}" > "$LOG_PIPE" 2>&1
+fi
+
+exec act_runner --config /etc/gitea-act-runner/config.yaml daemon "$@" > "$LOG_PIPE" 2>&1
diff --git a/packages/docker/transmission-protonvpn/entrypoint.sh b/packages/docker/transmission-protonvpn/entrypoint.sh
index b7bc5fe..3e621b9 100644
--- a/packages/docker/transmission-protonvpn/entrypoint.sh
+++ b/packages/docker/transmission-protonvpn/entrypoint.sh
@@ -93,13 +93,13 @@ rpc_url="http://127.0.0.1:9091${rpc_path}rpc/"
 
     natpmp_port="$(echo "$natpmp_output" | awk '/Mapped public port/ { print $4 }')"
 
-    output_headers=$(curl -s -D - -o /dev/null -X POST "$rpc_url" \
+    output_headers=$(curl -sf -D - -o /dev/null -X POST "$rpc_url" \
       -H "Content-Type: application/json" \
       -d '{"method": "session-get", "arguments": {"fields": ["session-id"]}}')
 
     session_id="$(echo "$output_headers" | awk '/X-Transmission-Session-Id:/ { print $2 }' | tr -d '\r')"
 
-    curl -s -X POST "$rpc_url" \
+    curl -sf -X POST "$rpc_url" \
       -H "X-Transmission-Session-Id: $session_id" \
       -H "Content-Type: application/json" \
       -d "{\"method\": \"session-set\", \"arguments\": {\"peer-port\": $natpmp_port}}" \
diff --git a/secrets b/secrets
index cf0eec5..6ce176b 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit cf0eec50d087704012bee8cfa0bab39b46b1cde7
+Subproject commit 6ce176beb34bfe0ac65131564c1fa3f5d0aca1fe