diff --git a/nixos/common/services/forgejo-runner.nix b/nixos/common/services/forgejo-runner.nix
new file mode 100644
index 00000000..c9ef3a48
--- /dev/null
+++ b/nixos/common/services/forgejo-runner.nix
@@ -0,0 +1,14 @@
+{ pkgs, config, hostname, ... }: {
+  sops.secrets."secrets/forgejo_token" = {
+    owner = "root";
+    sopsFile = ../../../secrets/secrets.yaml;
+  };
+
+    services.gitea-actions-runner.instances."${hostname}" = {
+        enable = true;
+        name = "${hostname}";
+        labels = "nixos";
+        url = "https://git.sysctl.io";
+        tokenFile = "/run/secrets/secrets/forgejo_token";
+    };
+}
\ No newline at end of file
diff --git a/nixos/hosts/framework-server/default.nix b/nixos/hosts/framework-server/default.nix
index 0d641d81..0537cfda 100644
--- a/nixos/hosts/framework-server/default.nix
+++ b/nixos/hosts/framework-server/default.nix
@@ -6,6 +6,7 @@
     ./disks.nix
     ../../common/modules/secureboot.nix
     ../../common/services/fwupd.nix
+    ../../common/services/forgejo-runner.nix
     ./builder.nix
     ./ssh-luks.nix
     ./docker.nix
@@ -55,7 +56,8 @@
 
   # Forward mail port 25 to sysctl.io / linode
   networking.firewall.extraCommands = '' 
-    iptables -t nat -A OUTPUT -p tcp --dport 25 -j DNAT --to-destination 10.100.0.1:25
+    ip route add table 25 0.0.0.0/0 dev wireguard0 
+    ip route add table 25 default via 10.100.0.2
   '';
 
   boot.initrd.services.udev.rules = ''