diff --git a/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml b/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml
index c0e1b76..ba4e1ee 100644
--- a/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml
+++ b/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml
@@ -1,8 +1,8 @@
 ansible_pull__age_private_key: ENC[AES256_GCM,data:fEly3EIovZ4n5xMnD5Aqtbn1+DUszR0MvBHcM383G40qfHxrbF/lqc8iftshInoHSU77Vugignyb0dTSCTS1cWmEg8I/+ZFjgwc=,iv:Y1XunCfdIUC5nTu+vkr0Q0LUBWeIwP/bGNkbnDb1cpA=,tag:6UrkMx6yEGB46VVvtAkDMQ==,type:str]
+secret__forgejo_runner_ccchh_git_token: ENC[AES256_GCM,data:5igicsbBCLvsWI6YSFN2A/XD4An1l31YBe7Ngm7nHopWR/Ge266I9g==,iv:sVXBSeEWNs7GIXasZdbIoiaeXFTJMkM6T8vZCNX5Tek=,tag:aVIX3+8pr1lyEy1pcu1UNQ==,type:str]
 sops:
   age:
-    - recipient: age1az0k6cadssk6r8qcqxfr8cyu5mndy59pwt8yqq6w065ew6au4ezsmg2vkf
-      enc: |
+    - enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
         YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcFhwNmRXTnptOUMrN0dZ
         UnN0bFdCVjJQamNvTzZmMkxRdk0zL0E4bm4wCmRIVmVrVW1Jb3BKOVNnNnM5MXJm
@@ -10,8 +10,9 @@ sops:
         VVI1TnN3UkcxUzdOWjJQTzZLOHNlaDQKx/HqW9sEYmNYIMYvLVF/9eJfcgRH/cJv
         YqcDNZc8L9Rap2TfwsiJZourqDTe/8sWgQ0yHC4mcKS1HJOTUMNwqQ==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-05-20T02:12:09Z"
-  mac: ENC[AES256_GCM,data:QgL5PSrG3yVeJQgDJ3/VQhGwF7WpDb0+w7oxeF0KeNt3m2YqUsS1qKwK4gJAbmyt/RPdRErTiPs6NdAouowjZg6zcd+Trags/GIBKcaIyJqQa4lw3J3Jod9GTkol70c0H/X76kQx+bWzuXnJy64Dm3t2h+/ytD45+yZJ/959FKI=,iv:JnR8ZRgCfsr7T7L0NLCncH/6q1EGErOCzYjZWrazDh8=,tag:HHH6MrP1bFU0j/Hb6crEZA==,type:str]
+      recipient: age1az0k6cadssk6r8qcqxfr8cyu5mndy59pwt8yqq6w065ew6au4ezsmg2vkf
+  lastmodified: "2026-06-23T19:38:01Z"
+  mac: ENC[AES256_GCM,data:3FSmib8bQgi3sf5OSZvKOeXNgPphCM2LtUEscXD1c916UC0l6WSJsB86CpwPolInL79o5148ond7u0lDiM+/yLx4QUmxLkJXK5hi0KqMmUCp8L/oVslO6Q1rAJnhKkfcPpnVUwk6lRvcb+4NXIG+3w9EBPSWXL2yBLhRMXmtiBA=,iv:sVJgqoNMZY9jwdq6eJJoTZ7rAqBBmfxsiDXV9yFhPws=,tag:NQwpxfBGwAoW83CMl/mitA==,type:str]
   pgp:
     - created_at: "2026-05-20T02:11:43Z"
       enc: |-
@@ -184,4 +185,4 @@ sops:
         -----END PGP MESSAGE-----
       fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
   unencrypted_suffix: _unencrypted
-  version: 3.12.1
+  version: 3.13.1
diff --git a/inventories/chaosknoten/host_vars/forgejo-runner.yaml b/inventories/chaosknoten/host_vars/forgejo-runner.yaml
new file mode 100644
index 0000000..28bc4ab
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/forgejo-runner.yaml
@@ -0,0 +1 @@
+forgejo_runner__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2') }}"
diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index 4fbc03d..30072c8 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -284,3 +284,4 @@ secrets_hosts:
   hosts:
 forgejo_runner_hosts:
   hosts:
+    forgejo-runner:
diff --git a/resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2 b/resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2
new file mode 100644
index 0000000..eb3bcd3
--- /dev/null
+++ b/resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2
@@ -0,0 +1,43 @@
+log:
+  level: info
+  job_level: info
+
+runner:
+  file: .runner
+  capacity: 4
+  timeout: 1h
+  shutdown_timeout: 30m
+  insecure: false
+  fetch_timeout: 30s
+  fetch_interval: 2s
+  report_interval: 1s
+  labels:
+    # https://forgejo.org/docs/latest/admin/actions/configuration/#choosing-labels
+    - docker:docker://docker.io/library/node:lts
+
+cache:
+  enabled: false
+
+container:
+  # Leave emtpy to create a network automatically.
+  network: ""
+  enable_ipv6: true
+  privileged: false
+  ## Something like this once gVisor can be used.
+  ## options: "--runtime=runsc --mount type=bind,src=/etc/gvisor-helper-resolv.conf,dst=/etc/resolv.conf,ro=true"
+  # Leave empty for default /workspace to be used.
+  workdir_parent:
+  ## Something like this once gVisor can be used.
+  ## Add /etc/gvisor-helper-resolv.conf to valid_volumes to make the bind-mount in options work.
+  ## valid_volumes: ["/etc/gvisor-helper-resolv.conf:ro"]
+  # Leave "-", so no docker host will be mounted in the job container.
+  docker_host: "-"
+  force_pull: true
+  force_rebuild: false
+
+server:
+  connections:
+    ccchh-git:
+      url: https://git.hamburg.ccc.de/
+      uuid: 8f2a39a7-0c58-4c57-a272-01893b2f1a6d
+      token: {{ secret__forgejo_runner_ccchh_git_token }}