diff --git a/nixos/common/services/forgejo-runner.nix b/nixos/common/services/forgejo-runner.nix
index 50f26d17..be102bb1 100644
--- a/nixos/common/services/forgejo-runner.nix
+++ b/nixos/common/services/forgejo-runner.nix
@@ -41,9 +41,9 @@
           allow-host-namespace = false;
         };
         docker-opts = [
-          "--cap-drop=ALL"  # Drop all caps first
+          "--cap-drop=ALL"      # Drop all caps first
+          "--cap-add=NET_ADMIN" # Required for TUN device access
           "--security-opt=no-new-privileges"
-          "--cap-add=NET_ADMIN"            # Required for TUN device access
         ];
       };
     };