diff --git a/modules/web01/gitea/actions-runner.nix b/modules/web01/gitea/actions-runner.nix
index e8da639..a2f33d6 100644
--- a/modules/web01/gitea/actions-runner.nix
+++ b/modules/web01/gitea/actions-runner.nix
@@ -1,18 +1,15 @@
 { config, self, pkgs, lib, ... }:
-let
-  inherit (self.packages.${pkgs.hostPlatform.system}) actions-runner;
-in
 {
-  systemd.services.gitea-runner-nix-image = {
-    wantedBy = [ "multi-user.target" ];
-    script = ''
-      ${lib.getExe pkgs.podman} load --input=${actions-runner}
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-  };
+  #systemd.services.gitea-runner-nix-image = {
+  #  wantedBy = [ "multi-user.target" ];
+  #  script = ''
+  #    ${lib.getExe pkgs.podman} load --input=${actions-runner}
+  #  '';
+  #  serviceConfig = {
+  #    Type = "oneshot";
+  #    RemainAfterExit = true;
+  #  };
+  #};
 
   systemd.services.gitea-runner-nix-token = {
     wantedBy = [ "multi-user.target" ];
@@ -24,13 +21,13 @@ in
     script = ''
       set -euo pipefail
       token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
-      echo "TOKEN=$token" > /var/lib/gitea-runner/token
+      echo "TOKEN=$token" > /var/lib/gitea-registration/token
     '';
-    unitConfig.ConditionPathExists = [ "!/var/lib/gitea-runner/token" ];
+    unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/token" ];
     serviceConfig = {
       User = "gitea";
       Group = "gitea";
-      StateDirectory = "gitea-runner";
+      StateDirectory = "gitea-registration";
       Type = "oneshot";
       RemainAfterExit = true;
     };
@@ -42,11 +39,9 @@ in
   systemd.services.gitea-runner-nix = {
     after = [
       "gitea-runner-nix-token.service"
-      "gitea-runner-nix-image.service"
     ];
     requires = [
       "gitea-runner-nix-token.service"
-      "gitea-runner-nix-image.service"
     ];
 
     # TODO: systemd confinment
@@ -123,7 +118,12 @@ in
     };
   };
 
-  services.gitea-actions-runner.instances.nix = {
+  services.gitea-actions-runner.instances.nix = let
+    extraBins = pkgs.runCommand "extra-bins" {} ''
+      mkdir -p $out
+      ln -s ${pkgs.nodejs}/bin/node $out/node
+    '';
+  in {
     enable = true;
     name = "nix-runner";
     # take the git root url from the gitea config
@@ -131,31 +131,10 @@ in
     # otherwise you need to set it manually
     url = config.services.gitea.settings.server.ROOT_URL;
     # use your favourite nix secret manager to get a path for this
-    tokenFile = "/var/lib/gitea-runner/token";
-    labels = [ "nix:docker://${actions-runner.imageName}" ];
-    hostPackages = with pkgs; [
-      bash
-      coreutils
-      curl
-      gawk
-      gitMinimal
-      gnused
-      jq
-      nixUnstable
-      nodejs
-      wget
-      gnutar
-      bash
-      config.nix.package
-      gzip
-    ];
+    tokenFile = "/var/lib/gitea-registration/token";
+    labels = [ "nix:docker://mic92/nix-unstable-static" ];
     settings = {
-      runner.envs = {
-        HOME = "/var/lib/gitea-runner/nix";
-        # unset the token so it doesn't leak into the runner
-        TOKEN = "";
-        PAGER = "cat";
-      };
+      container.options = "-v /nix:/nix -v ${extraBins}:/host/bin --user nix";
     };
   };
 }