diff --git a/.forgejo/default-policy.json b/.forgejo/default-policy.json
new file mode 100644
index 0000000..dffc54a
--- /dev/null
+++ b/.forgejo/default-policy.json
@@ -0,0 +1,14 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}
diff --git a/.forgejo/tags.txt b/.forgejo/tags.txt
new file mode 100644
index 0000000..e951978
--- /dev/null
+++ b/.forgejo/tags.txt
@@ -0,0 +1 @@
+nix-with-node:nix
diff --git a/.forgejo/workflows/images.yaml b/.forgejo/workflows/images.yaml
new file mode 100644
index 0000000..36e9872
--- /dev/null
+++ b/.forgejo/workflows/images.yaml
@@ -0,0 +1,19 @@
+on: [push]
+jobs:
+  check:
+    runs-on: nix-upstream-latest
+    permissions:
+      id-token: "write"
+      contents: "read"
+    steps:
+      - run: echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
+      - run: nix-env -i nodejs skopeo # bootstrap
+      - uses: actions/checkout@v4
+      - run: mkdir -p /etc/containers && cp .forgejo/default-policy.json /etc/containers/policy.json
+      - run: |-
+          for line in $(cat .forgejo/tags.txt); do
+            IFS=: read -r pkg tag <<< $line
+            cp $(nix build .#$pkg --print-out-paths) /tmp/img.tar.gz
+            gunzip /tmp/img.tar.gz
+            skopeo copy --dest-creds="${{ secrets.FJ_USER }}:${{ secrets.FJ_PASS }}" docker-archive:///tmp/img.tar docker://git.10110110.xyz/ci/$tag:latest
+          done
diff --git a/.forgejo/workflows/main.yml b/.forgejo/workflows/main.yml
index 5b63c12..587fc56 100644
--- a/.forgejo/workflows/main.yml
+++ b/.forgejo/workflows/main.yml
@@ -7,13 +7,17 @@ on:
 jobs:
   build:
     runs-on: nix-latest
+    permissions:
+      id-token: "write"
+      contents: "read"
     strategy:
       matrix:
         package_name: ["nvim"]
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
-      - name: check
+      - uses: DeterminateSystems/flakehub-cache-action@main
+      - name: nix flake check
         run: nix flake check
       - name: Run `nix bundle`
         if: github.ref == 'refs/heads/main'
diff --git a/nixos/zen/configuration.nix b/nixos/zen/configuration.nix
index 3c73c75..f0e2a64 100644
--- a/nixos/zen/configuration.nix
+++ b/nixos/zen/configuration.nix
@@ -1,4 +1,9 @@
-{ host, config, pkgs, ... }:
+{
+  host,
+  config,
+  pkgs,
+  ...
+}:
 {
   imports = [
     ./hardware-configuration.nix
@@ -18,12 +23,15 @@
       allowedTCPPorts = [
         22
         10250
-        25565 #mc
-        25566 #mc
+        25565 # mc
+        25566 # mc
       ];
+      interfaces."podman+" = {
+        allowedTCPPorts = [ 33393 ];
+      };
     };
   };
-  virtualisation.docker = {
+  virtualisation.podman = {
     enable = true;
     extraOptions = "--dns 1.1.1.1";
   };
@@ -32,6 +40,16 @@
     instances.default = {
       enable = true;
       name = host.hostName;
+      settings = {
+        runner = {
+          capacity = 3;
+        };
+        cache = {
+          enable = true;
+          host = "host.containers.internal";
+          proxy_port = 33393;
+        };
+      };
       url = "https://git.10110110.xyz";
       tokenFile = config.sops.secrets.forgejo-runner.path;
       labels = [
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 19572c1..c34f530 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -7,5 +7,6 @@
     nativeBuildInputs = [ pkgs.jujutsu ];
     doCheck = false;
   };
+  nix-with-node = import ./nix-with-node { inherit pkgs; };
 }
 // import ./nvim { inherit inputs pkgs; }
diff --git a/pkgs/nix-with-node/default.nix b/pkgs/nix-with-node/default.nix
new file mode 100644
index 0000000..f49deb4
--- /dev/null
+++ b/pkgs/nix-with-node/default.nix
@@ -0,0 +1,38 @@
+{ pkgs, ... }:
+pkgs.dockerTools.buildLayeredImage {
+  name = "nix-with-node";
+  contents = with pkgs; [
+    ./root
+    bashInteractive
+    cacert
+    coreutils
+    git
+    gnutar
+    gzip
+    jq
+    nix
+    nodejs
+    openssh
+    shadow
+    xz
+  ];
+
+  config = {
+    Cmd = [ "/bin/bash" ];
+    WorkingDir = "/home/nixbld";
+    Env = [
+      "ENV=/etc/profile.d/nix.sh"
+      "NIX_BUILD_SHELL=/bin/bash"
+      "PATH=/usr/bin:/bin"
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "USER=root"
+    ];
+  };
+
+  fakeRootCommands = ''
+    ${pkgs.dockerTools.shadowSetup}
+    groupadd -r nixbld
+    useradd -r -g nixbld nixbld
+  '';
+  enableFakechroot = true;
+}
diff --git a/pkgs/nix-with-node/root/etc/nix/nix.conf b/pkgs/nix-with-node/root/etc/nix/nix.conf
new file mode 100644
index 0000000..978cf89
--- /dev/null
+++ b/pkgs/nix-with-node/root/etc/nix/nix.conf
@@ -0,0 +1,3 @@
+accept-flake-config = true
+experimental-features = nix-command flakes
+max-jobs = auto