diff --git a/nix-runner/flake.lock b/nix-runner/flake.lock
new file mode 100644
index 0000000..5fd6f52
--- /dev/null
+++ b/nix-runner/flake.lock
@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1767379071,
+        "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fb7944c166a3b630f177938e478f0378e64ce108",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/nix-runner/flake.nix b/nix-runner/flake.nix
new file mode 100644
index 0000000..3e48255
--- /dev/null
+++ b/nix-runner/flake.nix
@@ -0,0 +1,58 @@
+# ABOUTME: Flake to build a custom Nix Docker image for Gitea Actions.
+# ABOUTME: Includes coreutils (/bin/sleep), modern Nix with flakes, and CI tools.
+{
+  description = "Nix runner image for Gitea Actions";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+      in {
+        packages.default = pkgs.dockerTools.buildImage {
+          name = "gitea.v.paler.net/ppetru/nix-runner";
+          tag = "v4";
+
+          copyToRoot = pkgs.buildEnv {
+            name = "image-root";
+            paths = with pkgs; [
+              # Core utilities (provides /bin/sleep that act_runner needs)
+              coreutils-full
+              bash
+              # Nix itself
+              nix
+              # For actions that need node
+              nodejs_20
+              # Common CI tools
+              git
+              curl
+              jq
+              skopeo
+              # CA certificates for HTTPS
+              cacert
+            ];
+            pathsToLink = [ "/bin" "/etc" ];
+          };
+
+          # Create temp directories without runAsRoot (which needs KVM)
+          extraCommands = ''
+            mkdir -p -m 1777 tmp
+            mkdir -p -m 1777 var/tmp
+          '';
+
+          config = {
+            Env = [
+              "NIX_PAGER=cat"
+              "USER=root"
+              "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+              "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+              "NIX_CONFIG=experimental-features = nix-command flakes\nsandbox = false\nbuild-users-group =\nsubstituters = http://c3.mule-stork.ts.net:8501 https://cache.nixos.org\ntrusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= c3:sI3l1RN80xdehzXLA8u2P6352B0SyRPs2XiYy/YWYro="
+            ];
+          };
+        };
+      });
+}
diff --git a/services/act-runner.hcl b/services/act-runner.hcl
new file mode 100644
index 0000000..00a5276
--- /dev/null
+++ b/services/act-runner.hcl
@@ -0,0 +1,75 @@
+# ABOUTME: Gitea Actions runner for CI/CD pipelines.
+# ABOUTME: Runs containerized actions with Docker-in-Docker support.
+
+# Setup required before running:
+#   sudo mkdir -p /data/services/act-runner
+#   nomad var put secrets/act-runner registration_token="<token-from-gitea-ui>"
+
+job "act-runner" {
+  datacenters = ["alo"]
+  type        = "service"
+
+  group "runner" {
+    network {
+      mode = "host"
+    }
+
+    task "runner" {
+      driver = "docker"
+
+      config {
+        image        = "gitea/act_runner:latest"
+        network_mode = "host"
+        privileged   = true
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock",
+          "/data/services/act-runner:/data",
+          "local/config.yaml:/.runner/config.yaml",
+        ]
+      }
+
+      template {
+        destination = "local/config.yaml"
+        data        = <<EOH
+log:
+  level: info
+runner:
+  file: /data/.runner
+  capacity: 2
+  timeout: 3h
+  labels:
+    - "ubuntu-latest:docker://node:20-bookworm"
+    - "nix:docker://nixos/nix:latest"
+cache:
+  enabled: true
+  dir: /data/cache
+container:
+  network: "host"
+  privileged: true
+  valid_volumes:
+    - /data/services/**
+EOH
+      }
+
+      env {
+        GITEA_INSTANCE_URL = "https://gitea.v.paler.net"
+        GITEA_RUNNER_LABELS = "ubuntu-latest:docker://node:20-bookworm,nix:docker://gitea.v.paler.net/ppetru/nix-runner:v4"
+      }
+
+      # Template needed for nomadVar interpolation (secrets) and Nomad runtime vars
+      template {
+        destination = "secrets/env.env"
+        env         = true
+        data        = <<EOH
+GITEA_RUNNER_REGISTRATION_TOKEN={{ with nomadVar "secrets/act-runner" }}{{ .registration_token }}{{ end }}
+GITEA_RUNNER_NAME={{ env "NOMAD_ALLOC_ID" }}
+EOH
+      }
+
+      resources {
+        cpu    = 2000
+        memory = 2048
+      }
+    }
+  }
+}
diff --git a/services/animaltrack.hcl b/services/animaltrack.hcl
new file mode 100644
index 0000000..f303c10
--- /dev/null
+++ b/services/animaltrack.hcl
@@ -0,0 +1,87 @@
+# ABOUTME: Nomad job for AnimalTrack - poultry farm management app.
+# ABOUTME: Runs FastHTML Python app with SQLite, behind Traefik with OIDC auth.
+
+# Setup required before running:
+#   sudo mkdir -p /data/services/animaltrack && sudo chown 1000:1000 /data/services/animaltrack
+#   nomad var put secrets/animaltrack csrf_secret="$(nix shell nixpkgs#openssl -c openssl rand -base64 32)"
+
+job "animaltrack" {
+  datacenters = ["alo"]
+
+  # Force re-pull of :latest images on each nomad run
+  meta {
+    uuid = uuidv4()
+  }
+
+  update {
+    max_parallel      = 1
+    health_check      = "checks"
+    min_healthy_time  = "30s"
+    healthy_deadline  = "5m"
+    progress_deadline = "10m"
+    auto_revert       = true
+  }
+
+  group "web" {
+    network {
+      port "http" {
+        to = 3366
+      }
+    }
+
+    task "app" {
+      driver = "docker"
+      user   = "1000"
+
+      config {
+        image      = "gitea.v.paler.net/ppetru/animaltrack:latest"
+        ports      = ["http"]
+        force_pull = true
+        volumes    = ["/data/services/animaltrack:/var/lib/animaltrack"]
+      }
+
+      env {
+        DB_PATH           = "/var/lib/animaltrack/animaltrack.db"
+        AUTH_HEADER_NAME  = "X-Oidc-Username"
+        SEED_ON_START     = "true"
+        TRUSTED_PROXY_IPS = "192.168.1.0/24"
+      }
+
+      # Template needed for nomadVar interpolation (secrets)
+      template {
+        destination = "secrets/env.env"
+        env         = true
+        data        = <<EOH
+CSRF_SECRET={{ with nomadVar "secrets/animaltrack" }}{{ .csrf_secret }}{{ end }}
+EOH
+      }
+
+      resources {
+        memory = 512
+      }
+
+      service {
+        name = "animaltrack"
+        port = "http"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.animaltrack.entryPoints=websecure",
+          "traefik.http.routers.animaltrack.middlewares=oidc-auth@file",
+        ]
+
+        check {
+          type     = "http"
+          path     = "/healthz"
+          interval = "10s"
+          timeout  = "5s"
+
+          check_restart {
+            limit = 3
+            grace = "60s"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/services/gitea.hcl b/services/gitea.hcl
index 667abe6..c88bf08 100644
--- a/services/gitea.hcl
+++ b/services/gitea.hcl
@@ -19,7 +19,9 @@ job "gitea" {
       driver = "docker"
 
       config {
-        image = "gitea/gitea:latest-rootless"
+        # TODO: revert to latest once 1.25.1+ is released
+        #image = "gitea/gitea:latest-rootless"
+        image = "gitea/gitea:1.25-nightly-rootless"
         ports = [
           "http",
           "ssh",
@@ -42,6 +44,8 @@ job "gitea" {
         GITEA__mailer__FROM = "gitea@paler.net"
         GITEA__mailer__PROTOCOL = "smtp"
         GITEA__mailer__SMTP_ADDR = "192.168.1.1"
+        GITEA__actions__ENABLED = "true"
+        GITEA__actions__DEFAULT_ACTIONS_URL = "https://gitea.com"
       }
 
       service {