diff --git a/configurations/nixos/forgejo-runner/default.nix b/configurations/nixos/forgejo-runner/default.nix
index c4ea23b..b964350 100644
--- a/configurations/nixos/forgejo-runner/default.nix
+++ b/configurations/nixos/forgejo-runner/default.nix
@@ -1,4 +1,5 @@
 {
+  lib,
   flake,
   modulesPath,
   config,
@@ -21,20 +22,22 @@ in
     trusted-users = [ "gitea-runner" ];
   };
   sops.secrets.forgejo-runners-token = {
-    owner = "gitea-runner";
-    group = "gitea-runner";
+    # owner = "gitea-runner";
+    # group = "gitea-runner";
+    mode = "0777";
   };
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;
     instances = {
       native = {
         enable = true;
-        url = "https://git.skdevstuios.com";
+        url = "https://git.skdevstudios.com";
         name = "nix";
-        labels = [ "nix:host" ];
+        labels = [ "native:host" ];
         tokenFile = config.sops.secrets.forgejo-runners-token.path;
         hostPackages = with pkgs; [
           nix
+          opentofu
           nodejs
           git
           bash
@@ -52,6 +55,7 @@ in
     tty-ips.enable = true;
   };
   networking = {
+    firewall.enable = lib.mkForce false;
     hostName = "base";
   };
   environment.systemPackages = [
diff --git a/secrets.yaml b/secrets.yaml
index 8dfe4db..b8cc687 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,5 +1,5 @@
 otfenv: ENC[AES256_GCM,data:vHSZN364zAhuTBii4IGbQk3bPCu7GBR7K8Z8ce3U/uIOCXNvEi3micq+AEPEooPEQkWL/eslg92uREcgo/JEMYbSuWHWLFNNehhYTeBZ+YXLwuDgJLWzaJGouktF1aF7uQDMsydaX2UjUnLQjf/VdJm3YnoJAGE3QQtbp9ehK0YiHA1hS3XMlwvNuepZfX8Hx7qZTEs6zNa3R8tZvj24jryVsGFvTN+0R1pb7YvqXeLhR3tCkm53S2IJFFXebq2EdaHNbyEIGmfcK2uhdSvpXiGI,iv:lwADUz6mA//G0/jAdAp1eRkn9RvRXXzps5r5RIpWR5A=,tag:YlNtrT4t0R6SYxIR1tRe4g==,type:str]
-forgejo-runners-token: ENC[AES256_GCM,data:yPnNHv3Df88rtWNk3brIEfEGB7R0rjVFhUM3QCqe1Pjdc9NUQpEa+A==,iv:bDoxUZuL/I+tX01hq2XX1iUkR9C2jH9Pyi/zoUTHaDk=,tag:qnp9IuFD4MnIU38ZzYmBkQ==,type:str]
+forgejo-runners-token: ENC[AES256_GCM,data:y6m9JciySpqJ8QOtHGoUG5McPXyZSODqRHCLVY0m+O+vfys2tvmkK3fGKtOlNA==,iv:NYbjaOkRumwJbZBPZlltIeQkaNOrUKQLmVb0uFNXX+g=,tag:f+rH81mGvS0QKrfmLoXEHQ==,type:str]
 sops:
     age:
         - recipient: age1ja6zky2xlptgmu04ghp30z9gcyw240p4p8jpqeznt9msmmrwjdjshl6rx3
@@ -38,7 +38,7 @@ sops:
             aXdJMnFId3Nnc093cVpNOGUyKzFuYlEKaszE8RHwN9EQYKemh9fVq6O/YxmC5nMM
             hV6FMTuZC/pE75Zzmz8f2ZFHJrqwQB/2xgTpMiudvbQHrZRUEKMCEA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-19T22:14:53Z"
-    mac: ENC[AES256_GCM,data:+ZqfswH9QT2NKK+PB5WkUDT03zAISck2Qsedt7RMuIVNExpCBvxp81o9SLPZ+H4BHrkCGNeMlS6rCsXReVZZUf5ds8i6+Fx/DvYmtniH1ef7KMJMLEjVVcP0kMgHnFQ+ILW41zVB3q/84+Q04i9uSpsdD7N4oZfZE7Ho2FtmpEI=,iv:E4l247QlwoSYPi67urzXwi4cFz1e9+4wnPdI3uxpF+8=,tag:aZWlZTdp4wscMLDqQy7Vcw==,type:str]
+    lastmodified: "2025-06-19T23:51:21Z"
+    mac: ENC[AES256_GCM,data:gw9Z6NBqNqNRh+34pL9jis4x01AOx7+4dVQn69dciWcxSoWltfyUxj0LkthKYWSVezv4nruB3PAShNaTdn2xdmDhCoT/MuSeMa7VrnblyFzPs0yshdOoaqk8zit4pjegZCrpbUh4TYZs0Tfjhd58PoSGaCpqtESTSfR6wL76U/g=,iv:xfYQHTTSlmRavM/HR+cATIKuvEwzIoU8iHkUM0/XdDo=,tag:Ujk7J2qwd5vcxBz+Q3JDUw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2