diff --git a/.forgejo/workflows/update-flake-lock.yml b/.forgejo/workflows/update-flake-lock.yml
index af46e8a7..4d9cf4bc 100644
--- a/.forgejo/workflows/update-flake-lock.yml
+++ b/.forgejo/workflows/update-flake-lock.yml
@@ -1,82 +1,24 @@
-# yamllint disable rule:line-length rule:truthy
----
-name: Cron - Flake Lock Update
-run-name: ${{ github.actor }} - update-flake-lock
+name: update-flake-lock
 on:
+  workflow_dispatch: # allows manual triggering
   schedule:
-    - cron: '0 0 * * 0'
-    # “At 00:00 Sunday."
-  workflow_dispatch:
+    - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00
 
 jobs:
-  update-flake-lock:
-    runs-on: headscale-runner
+  lockfile:
+    runs-on: docker
     container:
-      image: git.sysctl.io/albert/actions-container-images/headscale-runner:latest
-      options: --mount type=bind,src=/dev/net/tun,dst=/dev/net/tun --privileged
+      image: ubuntu:latest
     steps:
-      - name: "Install SSH Keys"
-        run: |
-          echo "${{ secrets.SSH_PUBLIC_KEY }}"  > /root/.ssh/id_ed25519.pub
-          echo "${{ secrets.SSH_PRIVATE_KEY }}" > /root/.ssh/id_ed25519
-          chmod 700 /root/.ssh
-          chmod 600 /root/.ssh/id_ed25519
-          chmod 644 /root/.ssh/id_ed25519.pub
-          cat /etc/hosts.template > /etc/hosts
-
-      - name: "Connect to Headscale"
-        run: |
-          set -x
-          sudo tailscaled --cleanup
-          sudo tailscaled --no-logs-no-support --state=mem:  2> ~/tailscaled.log &
-          sudo tailscale up \
-              --login-server=https://headscale.sysctl.io \
-              --accept-routes \
-              --accept-dns \
-              --authkey ${{ secrets.TAILSCALE_KEY }}  \
-              --hostname forgejo-runner \
-              --advertise-tags "tag:forgejo,tag:container,tag:ephemeral"
-
-      - name: "SSH and Update / Check"
-        run: |
-          ssh -q -A -o StrictHostKeyChecking=no albert@warsaw-ovh-01.servers.hs.net \
-              "
-              set -x
-              eval (ssh-agent -c)
-              ssh-add
-              env | grep SSH
-              cd /etc/nixos/git
-              git pull
-              nix flake update
-              nix flake check --show-trace
-              "
-
-      - if: success()
-        name: "Sucess: Git Commit & Push"
-        run: |
-          ssh -q -A -o StrictHostKeyChecking=no albert@warsaw-ovh-01.servers.hs.net \
-              "
-              set -x
-              eval (ssh-agent -c)
-              ssh-add
-              env | grep SSH
-              cd /etc/nixos/git
-              git -c commit.gpgsign=false commit -am '[ACTIONS] Flake Update (`date +%Y-%m-%d`)' \
-              && git push
-              "
-
-      - if: success()
-        uses: https://git.sysctl.io/actions/gotify-action@master
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: actions/nix-installer-action@main
+      - name: Update flake.lock
+        uses: actions/update-flake-lock@main
         with:
-          gotify_api_base: '${{ secrets.GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.GOTIFY_TOKEN }}'
-          notification_title: '[ ${{ github.repository }}: ${{ github.workflow }} ] NixOS Flake Updated'
-          notification_message: 'Build completed successfully.'
-      - if: failure()
-        uses: https://git.sysctl.io/actions/gotify-action@master
-        with:
-          gotify_api_base: '${{ secrets.GOTIFY_URL }}'
-          gotify_app_token: '${{ secrets.GOTIFY_TOKEN }}'
-          notification_title: '[ ${{ github.repository }}: ${{ github.workflow }} ] Build Failed'
-          notification_message: 'Your build has failed.  Check Forgejo.'
-        name: "Send Notification"
+          pr-title: "Update flake.lock"
+          pr-labels: |
+            dependencies
+            automated
+          pr-assignees: albert