diff --git a/modules/nix/gitea-actions-runners/webref.nix b/modules/nix/gitea-actions-runners/webref.nix
new file mode 100644
index 0000000..589c244
--- /dev/null
+++ b/modules/nix/gitea-actions-runners/webref.nix
@@ -0,0 +1,50 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.servers.gitea;
+in
+{
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    users.groups.gitea-runner = { };
+    users.users.gitea-runner = {
+      isSystemUser = true;
+      group = "gitea-runner";
+      extraGroups = [
+        "docker"
+        "podman"
+      ];
+    };
+    nix.settings = {
+      allowed-users = [ "gitea-runner" ];
+      trusted-users = [ "gitea-runner" ];
+    };
+    services.gitea-actions-runner.instances.webref = {
+      inherit (cfg) url enable;
+      name = "${config.networking.hostName}-nixos";
+      tokenFile = config.sops.secrets.gitea.path;
+      labels = [
+        "nix:native"
+        "ubuntu-latest:docker://node:20-bookworm"
+        "webref:native"
+      ];
+      hostPackages = builtins.attrValues {
+        inherit (pkgs)
+          bash
+          coreutils
+          curl
+          git
+          nix
+          nodejs
+          python3
+          postgresql
+          docker
+          docker-compose
+          ;
+      };
+    };
+  };
+}
diff --git a/modules/servers/gitea.nix b/modules/servers/gitea.nix
index 4b10e25..1a53637 100644
--- a/modules/servers/gitea.nix
+++ b/modules/servers/gitea.nix
@@ -10,8 +10,8 @@ let
 in
 {
   imports = [
-    ../nix/gitea-actions-runners/ryujinx.nix
     ../nix/gitea-actions-runners/nixos.nix
+    ../nix/gitea-actions-runners/webref.nix
   ];
   options.my.servers.gitea = setup.mkOptions "gitea" "git" 9083;
   config = lib.mkIf (cfg.enable && config.my.secureHost) {