diff --git a/flake.lock b/flake.lock
index 29f98f6..934be91 100644
--- a/flake.lock
+++ b/flake.lock
@@ -40,46 +40,6 @@
         "type": "github"
       }
     },
-    "lowdown-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1633514407,
-        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
-        "owner": "kristapsdz",
-        "repo": "lowdown",
-        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "kristapsdz",
-        "repo": "lowdown",
-        "type": "github"
-      }
-    },
-    "nix": {
-      "inputs": {
-        "flake-compat": [],
-        "lowdown-src": "lowdown-src",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nixpkgs-regression": []
-      },
-      "locked": {
-        "lastModified": 1686048923,
-        "narHash": "sha256-/XCWa2osNFIpPC5MkxlX6qTZf/DaTLwS3LWN0SRFiuU=",
-        "owner": "nixos",
-        "repo": "nix",
-        "rev": "84050709ea18f3285a85d729f40c8f8eddf5008e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "2.16.1",
-        "repo": "nix",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1689846894,
@@ -100,7 +60,6 @@
       "inputs": {
         "disko": "disko",
         "flake-parts": "flake-parts",
-        "nix": "nix",
         "nixpkgs": "nixpkgs",
         "sops-nix": "sops-nix",
         "srvos": "srvos",
diff --git a/flake.nix b/flake.nix
index da3ab52..0b2eed6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -24,11 +24,6 @@
     srvos.url = "github:numtide/srvos";
     # Use the version of nixpkgs that has been tested to work with SrvOS
     srvos.inputs.nixpkgs.follows = "nixpkgs";
-
-    nix.url = "github:/nixos/nix?ref=2.16.1";
-    nix.inputs.nixpkgs.follows = "nixpkgs";
-    nix.inputs.nixpkgs-regression.follows = "";
-    nix.inputs.flake-compat.follows = "";
   };
 
   outputs = inputs@{ flake-parts, ... }:
diff --git a/modules/web01/gitea/actions-runner.nix b/modules/web01/gitea/actions-runner.nix
index 172f0f4..fec75d8 100644
--- a/modules/web01/gitea/actions-runner.nix
+++ b/modules/web01/gitea/actions-runner.nix
@@ -1,12 +1,55 @@
 { config, self, pkgs, lib, ... }:
+let
+  bin = pkgs.runCommand "extra-bins" { } ''
+    mkdir -p $out
+    for dir in ${toString [ pkgs.coreutils pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs ]}; do
+      for bin in "$dir"/bin/*; do
+        ln -s "$bin" "$out/$(basename "$bin")"
+      done
+    done
+  '';
+  etc = pkgs.runCommand "etc" { } ''
+    mkdir -p $out/etc/nix
+
+    cat <<NIX_CONFIG > $out/etc/nix/nix.conf
+    accept-flake-config = true
+    experimental-features = nix-command flakes
+    NIX_CONFIG
+
+    cat <<NSSWITCH > $out/etc/nsswitch.conf
+    passwd:    files mymachines systemd
+    group:     files mymachines systemd
+    shadow:    files
+
+    hosts:     files mymachines dns myhostname
+    networks:  files
+
+    ethers:    files
+    services:  files
+    protocols: files
+    rpc:       files
+    NSSWITCH
+
+    # Create an unpriveleged user that we can use also without the run-as-user.sh script
+    touch $out/etc/passwd $out/etc/group
+    ${pkgs.buildPackages.shadow}/bin/groupadd --prefix $out -g 9000 nixuser
+    ${pkgs.buildPackages.shadow}/bin/useradd --prefix $out -m -d /tmp -u 9000 -g 9000 -G nixuser nixuser
+
+    # Add SSL CA certs
+    mkdir -p $out/etc/ssl/certs
+    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
+  '';
+in
 {
   systemd.services.gitea-runner-nix-image = {
     wantedBy = [ "multi-user.target" ];
     after = [ "podman.service" ];
     requires = [ "podman.service" ];
     path = [ pkgs.podman pkgs.gnutar ];
+    # we also include etc here because the cleanup job also wants the nixuser to be present
     script = ''
-      tar cv --files-from /dev/null | podman import - scratch
+      set -eux
+      tar -C ${etc} -cv . | podman import - almost-scratch
     '';
     serviceConfig = {
       Type = "oneshot";
@@ -38,6 +81,10 @@
 
   # Format of the token file:
   virtualisation.podman.enable = true;
+  virtualisation.containers.containersConf.settings = {
+    # podman seems to not work with systemd-resolved
+    containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
+  };
 
   systemd.services.gitea-runner-nix = {
     after = [
@@ -116,52 +163,26 @@
     };
   };
 
-  services.gitea-actions-runner.instances.nix =
-    let
-      bin = pkgs.runCommand "extra-bins" { } ''
-        mkdir -p $out
-        for dir in ${toString [ pkgs.coreutils pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs]}; do
-          for bin in "$dir"/bin/*; do
-            ln -s "$bin" "$out/$(basename "$bin")"
-          done
-        done
-      '';
-      etc = pkgs.runCommand "etc" { } ''
-        mkdir -p $out/etc/nix
-
-        cat <<NIX_CONFIG > $out/etc/nix.conf
-        accept-flake-config = true
-        experimental-features = nix-command flakes
-        NIX_CONFIG
-
-        # Create an unpriveleged user that we can use also without the run-as-user.sh script
-        touch $out/etc/passwd $out/etc/group
-        ${pkgs.buildPackages.shadow}/bin/groupadd --prefix $out -g 9000 nixuser
-        ${pkgs.buildPackages.shadow}/bin/useradd --prefix $out -m -d /tmp -u 9000 -g 9000 -G nixuser nixuser
-
-        # Add SSL CA certs
-        mkdir -p $out/etc/ssl/certs
-        cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
-      '';
-    in
-    {
-      enable = true;
-      name = "nix-runner";
-      # take the git root url from the gitea config
-      # only possible if you've also configured your gitea though the same nix config
-      # otherwise you need to set it manually
-      url = config.services.gitea.settings.server.ROOT_URL;
-      # use your favourite nix secret manager to get a path for this
-      tokenFile = "/var/lib/gitea-registration/token";
-      labels = [ "nix:docker://scratch" ];
-      settings = {
-        container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -v /tmp:/tmp -v /nix:/nix -v ${etc}/etc:/etc -v ${bin}:/bin --user nixuser";
-        container.valid_volumes = [
-          "/nix"
-          "/tmp"
-          bin
-          "${etc}/etc"
-        ];
-      };
+  services.gitea-actions-runner.instances.nix = {
+    enable = true;
+    name = "nix-runner";
+    # take the git root url from the gitea config
+    # only possible if you've also configured your gitea though the same nix config
+    # otherwise you need to set it manually
+    url = config.services.gitea.settings.server.ROOT_URL;
+    # use your favourite nix secret manager to get a path for this
+    tokenFile = "/var/lib/gitea-registration/token";
+    labels = [ "nix:docker://almost-scratch" ];
+    settings = {
+      container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -v /tmp:/tmp -v /nix:/nix -v ${etc}/etc:/etc -v ${bin}:/bin --user nixuser";
+      # the default network that also respects our dns server settings
+      container.network = "podman";
+      container.valid_volumes = [
+        "/nix"
+        "/tmp"
+        bin
+        "${etc}/etc"
+      ];
     };
+  };
 }
diff --git a/pkgs/actions-runner.nix b/pkgs/actions-runner.nix
deleted file mode 100644
index 90b2764..0000000
--- a/pkgs/actions-runner.nix
+++ /dev/null
@@ -1,43 +0,0 @@
-{ pkgs, inputs }:
-let
-  # FIXME get rid of nix input?
-  base = import (inputs.nix + "/docker.nix") {
-    inherit pkgs;
-    name = "nix-ci-base";
-    maxLayers = 10;
-    extraPkgs = with pkgs; [
-      nodejs_20 # nodejs is needed for running most 3rdparty actions
-      # add any other pre-installed packages here
-    ];
-    # do we want this at all?
-    channelURL = "https://nixos.org/channels/nixpkgs-unstable";
-    nixConf = {
-      substituters = [
-        "https://cache.nixos.org/"
-        "https://nix-community.cachix.org"
-        # insert any other binary caches here
-      ];
-      trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        # insert the public keys for those binary caches here
-      ];
-      # allow using the new flake commands in our workflows
-      experimental-features = [ "nix-command" "flakes" ];
-    };
-  };
-in
-pkgs.dockerTools.buildImage {
-  name = "nix-runner";
-  tag = "latest";
-
-  fromImage = base;
-  fromImageName = null;
-  fromImageTag = "latest";
-
-  copyToRoot = pkgs.buildEnv {
-    name = "image-root";
-    paths = [ pkgs.coreutils-full ];
-    pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin
-  };
-}
diff --git a/pkgs/flake-module.nix b/pkgs/flake-module.nix
index 68bdd8d..facaffa 100644
--- a/pkgs/flake-module.nix
+++ b/pkgs/flake-module.nix
@@ -1,12 +1,9 @@
-{ lib, inputs, ... }: {
+{ lib, ... }: {
   perSystem = { pkgs, inputs', ... }: {
     packages = {
       inherit (pkgs.callPackage ./renovate { }) renovate;
     } // lib.optionalAttrs (!pkgs.stdenv.isDarwin) {
       gitea = pkgs.callPackage ./gitea { };
-      actions-runner = pkgs.callPackage ./actions-runner.nix {
-        inherit inputs;
-      };
     };
   };
 }