diff --git a/nixos/consensus/configuration.nix b/nixos/consensus/configuration.nix
index 31748c5..57dbdae 100644
--- a/nixos/consensus/configuration.nix
+++ b/nixos/consensus/configuration.nix
@@ -8,6 +8,7 @@
   imports = [
     ./hardware-configuration.nix
     ./backups.nix
+    ./forgejo-runner.nix
   ];
   sops = {
     secrets = {
diff --git a/nixos/oracle/forgejo-runner.nix b/nixos/consensus/forgejo-runner.nix
similarity index 80%
rename from nixos/oracle/forgejo-runner.nix
rename to nixos/consensus/forgejo-runner.nix
index f7ec768..3fcf5a2 100644
--- a/nixos/oracle/forgejo-runner.nix
+++ b/nixos/consensus/forgejo-runner.nix
@@ -7,17 +7,17 @@
       };
     };
   };
-  virtualisation.docker.enable = true;
   services.gitea-actions-runner = {
     package = pkgs.forgejo-actions-runner;
     instances.default = {
       enable = true;
-      name = "oracle-runner1";
+      name = "runner-1";
       url = "https://git.10110110.xyz";
       tokenFile = config.sops.secrets."forgejo-runner".path;
       labels = [
         "ubuntu-latest:docker://node:20-bullseye"
-        "nix-latest:docker://nixos/nix:latest"
+        "nix-upstream-latest:docker://nixos/nix:latest"
+        "native:host"
       ];
     };
   };
diff --git a/nixos/default.nix b/nixos/default.nix
index 2e8068d..f77cf2a 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -66,7 +66,6 @@ in
     };
     modules = defaultModules ++ [
       ./oracle/configuration.nix
-      ./oracle/forgejo-runner.nix
     ];
   };
 }
diff --git a/nixos/oracle/forgejo.nix b/nixos/oracle/forgejo.nix
index becf866..3a950ff 100644
--- a/nixos/oracle/forgejo.nix
+++ b/nixos/oracle/forgejo.nix
@@ -5,10 +5,14 @@ let
 in
 {
   sops = {
+    defaultSopsFile = ../../secrets/restic.yaml;
     secrets = {
       "env" = {
         sopsFile = ../../secrets/cf-acme.yaml;
       };
+      "b2-forgejo/env" = { };
+      "b2-forgejo/repo" = { };
+      "b2-forgejo/password" = { };
     };
   };
   security.acme = {
@@ -61,4 +65,24 @@ in
       };
     };
   };
+  services.restic.backups = {
+    b2-forgejo = {
+      initialize = true;
+      environmentFile = config.sops.secrets."b2-forgejo/env".path;
+      repositoryFile = config.sops.secrets."b2-forgejo/repo".path;
+      passwordFile = config.sops.secrets."b2-forgejo/password".path;
+
+      paths = [
+        "/var/lib/forgejo"
+      ];
+      timerConfig = {
+        OnCalendar = "*-*-* */6:00:00";
+      };
+      pruneOpts = [
+        "--keep-daily 31"
+        "--keep-monthly 6"
+        "--keep-yearly 2"
+      ];
+    };
+  };
 }
diff --git a/secrets/restic.yaml b/secrets/restic.yaml
index 33ed95b..95cdd96 100644
--- a/secrets/restic.yaml
+++ b/secrets/restic.yaml
@@ -13,27 +13,49 @@ b2-immich:
     password: ENC[AES256_GCM,data:c4mi0hfLnI+QMQibW0feTBo7vK7HgYGWExPWtxFN0uf0TeiN9A+u31yRpCzF0cdiQw==,iv:IbtWLSEZMgaRAMA/nHhFBzfJho8E/kk+EaMtWZHuvuM=,tag:vFdedNL14B3Wl8yFHZ9fZQ==,type:str]
     repo: ENC[AES256_GCM,data:fgB/jLZpn8mUotSEhE0=,iv:rcGy9xV9OgQn6Q0zB5UkB49EffY+OL9GtlCvxSgIg8o=,tag:5BSUtw44Z1xZipXCraELBQ==,type:str]
     env: ENC[AES256_GCM,data:lwnoWd5pEmhcQcMExDWZ2BCRHEuYBEB9/F5vG9dNUQ9vqNLYDsehk4bwn+gaxQjwnxxucA4I4S+24qjWZaEoGyrf/dkxKVsP17TkjQ5BjQFAWOLn1npvcL3s,iv:ojsCnAMOSDT9Ua+H5O48k9G39BjHC8AFGuQFYCQBPG8=,tag:ojgrh847HLTUOjDoV61wlg==,type:str]
+b2-forgejo:
+    password: ENC[AES256_GCM,data:ErT8GttMASlLhn+abQX56KVaotLbRTKiCVqr6I/OoaWpD+aUrnOCxBlfH/8u32720Q==,iv:mbjIzbwc/VF6gdy7y1UJWZ4ihW1IhDN+Po8/Gje2iyg=,tag:t3vsl8R22CVIE1bafCfTLA==,type:str]
+    repo: ENC[AES256_GCM,data:sEiuSPIYh/AJDhgqUKgz,iv:D13S3asCjjVZKEeIZqSRYoIMs+QS5vOXjnm2F5rUU/c=,tag:7WgPBEW1nYQkvWOt5XQq+g==,type:str]
+    env: ENC[AES256_GCM,data:MF4s4cgLgY0Ym/5RJK6B1icrAFewj4fAntvY+juxRGu3H2WzGi+EKYqIOsYcCe/86bs8kMDddR/NX9UyDP5TIkjkdp75A4Fgq7yPiNHmOPBDa0j0sR3OD+zB,iv:FP8sHqHG7lu2Rt/KbwRl2EusEVgWwQPJqq3CPt1UHLw=,tag:OZaQT+qOLlJjxQYs6bsUeA==,type:str]
 sops:
     age:
         - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXVncwYmRudlFYWmhad1Ar
-            Mm5NWVNmTUszQ2lnMER1aCtvK1pjeHdJT0ZvCm5kYU5PbWQ0cXdId3J6aElHNFcx
-            Q3JSWXQxQmErMGJUZmdNRktuQm1iQ28KLS0tIGlCZzVydHR0eXY5ZXZLRUxkODBR
-            ZnU3ZFl1NkZqREJpcnlNMEdwVVljclkKSEmp9QkoMufA4DACbuilm6tZutpTN+ZN
-            ZHa9B8TDtuSZcAieMOoGxQoC4An96qIemwsMlecqGFWjJqN7wEapDQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcC90dkcvbnJoQzFDWTcr
+            SXFTdnRTOGhxZ3RNMHVpZFFLWHdIWUxMYzNZCjRlRTdYaS9YMjdFdzIzeHVLR3hs
+            QzNPM2k2UVV3bWI5WjVDT2pDaVZPaFEKLS0tIFFtdDI2Zmxnbk4xV2NGb2NDWUF6
+            VmROS3plOURRTzYzaEo2S1RraFRKeW8Kg3jYWWQuEX1Y6SfkT6lRdX6tmgkFiIW7
+            JX9D10jqN4DbDOYKu+MRvdz9/cagIyodg1/5LIPGBNGOKpNLiEH7AQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwU1JwYnVwVFVQSTlqVmZ2
-            djEyL3BjYkNMNldSZGUrdnBITENQMVZVNm1VCjlYd3NoY3NWVVA1UVlyMTIvekVl
-            MHhVeGpuV2N3azZGMmJqRERJQjZGVGsKLS0tIFgvOHAxWW5XUVdyRGZGR3I5V3lr
-            MXhYMkl5TTZVcDlNWUs4M3ZieDVRa1kKN3mh6jxui1a8i0VJJQmrAjhAhQkP4VcP
-            IpiYzY9IwIZu6VlC7qEuh3eeVq+v3SYcTmCh6/gwpmeDAjnL6hD5sA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqd3RQQUtmVXgvb1JLMnZt
+            Y0dITDF6anBKcWxoOWZuQStSTk1zWkdwdEN3CmFaVWphcVpjTUhNcUdjVGpnV0hq
+            Z25hVmNDQUQ1YnJSd3puS214TzlkbkUKLS0tIGVXRG9mczBKcHFzb0FwYU5FZkpY
+            ZVhQWDZwR2xFU0xTVGVLZ3NFanY1emcKu09zXLUscPvcVQSgiN4H4dWpjMyb3t7e
+            aa54tbZ6o1+6lLg1DniL9lBxit6R+qk3SjMuU1MQJvD7ah39RSuyng==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-03T03:18:04Z"
-    mac: ENC[AES256_GCM,data:zJSCaqp1m0u3fYUsLRz+asYeCqqZ4os0UdElBYrootGMmFjQ9j+X+As4np6CP44o4sWmcyePc+SKzW316wsFQObnvP+eIc+SFNjvGbw4oZPlRdSr9otbVOhPeEaWWCoONQgZ0FAbhbcsF2V3qvjmfrekd8yu3bcaH6LNZA2gT9A=,iv:Rq733/8bE7iS42C4tecN3JjyIHSY8lbCeuRKQY6TKb8=,tag:lcrVpglZyChUQRJ3jtwwpw==,type:str]
+        - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYdUpxSWtHbmxzdlRYZHFT
+            NUY5RDhXUGN5YmlPS0UyTWcrUDlUZ3Rjbnp3CnlkQUgyNVBVclh0KzNCZkVYZURx
+            RXFkR2JFckVPbkg5Umo3VEF1cFFOZFkKLS0tIEM2OE1hZVpUd0EzeEFrVGc4Zmww
+            UzZZcFB4UngvTHF2YWtsSWQ1dGJaKzQK+cuuvX8un2bID+fLG5SFzQhfJ6QX5/pG
+            sVSUc+VG+04aak70p8AgOO7zN75rzSf5R83mmpEwB9a+rfDrKvbjiQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdUU2NDRKV0w1Wkp0cDh6
+            NkV5bGRXOXpId1N4R09HdGhaK1lyM05WMkNRCnZSa0ovK01JaUZ3cG1qMkFzbW5z
+            WHc2NDYvNFN0SnBnSVlId0pjM2xBZnMKLS0tIHRoVkQ3NzBab1BzUVltWEVWeVZi
+            MmJRaXZheS9JamgybTc2THc1OVQ5N3MKr73ke9RIRsZvvVGl4nyxbbe/8f5KQ6Av
+            Uac6joEg0R6DbcQ9xRkbHyFySnLTHsF5HfVnUj2gPbdA1YsO0w2nlg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-27T20:37:26Z"
+    mac: ENC[AES256_GCM,data:30D/RyuIjhaJkRa4kBb3JK3FOGbbGL0aKAOlPgyNhpPyp7OWY1eYo2uoQSVa6lnjRgCV+YbmquXF6iNzUgWbzUWs6UuOfN+hIb/PKydBgITgVLp1bOfUQs8l2X2feYJ/QatBwr6VMgbBdrshppctSdypc9cTNv5r6sod0QwfpHA=,iv:uhwGM/bru/Z3UqnmOUHImhQkNm97zad+aH+VNXKy9m0=,tag:Zpdgcp2lPBNP4FjlTeXtKw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2