diff --git a/.yamllint b/.yamllint
index 16fb315..35cc284 100644
--- a/.yamllint
+++ b/.yamllint
@@ -10,6 +10,7 @@ ignore: |
   playbooks/roles/backups/snapshots/user/templates/volumes.yml
   playbooks/roles/backups/restic/user/templates/restic-aws-keys.yml
   playbooks/roles/backups/restic/user/templates/volumes.yml
+  playbooks/roles/services/deploy/git/templates/runner.yml
   playbooks/roles/services/deploy/metrics/templates/prometheus.yml
   playbooks/roles/music/org/templates/nextcloud-upload.yml
   playbooks/roles/music/org/templates/beets-archive.yml
diff --git a/inventory/group_vars/asgard/vars.yml b/inventory/group_vars/asgard/vars.yml
index 5d2e5a0..5642cbf 100644
--- a/inventory/group_vars/asgard/vars.yml
+++ b/inventory/group_vars/asgard/vars.yml
@@ -85,6 +85,7 @@ services:
       password: "{{ vault_services.cloud.smtp.password }}"
   git:
     domain: "{{ vault_services.git.domain }}"
+    ssh_port: 2770
     database:
       name: "{{ vault_services.git.database.name }}"
       user: "{{ vault_services.git.database.user }}"
@@ -93,7 +94,9 @@ services:
       host: "{{ vault_services.git.smtp.host }}"
       user: "{{ vault_services.git.smtp.user }}"
       password: "{{ vault_services.git.smtp.password }}"
-    ssh_port: 2770
+    runner:
+      registration_token: "{{ vault_services.git.runner.registration_token }}"
+      cache_port: 8088
   notes:
     domain: "{{ vault_services.notes.domain }}"
     database:
diff --git a/inventory/host_vars/yggdrasil/vars.yml b/inventory/host_vars/yggdrasil/vars.yml
index f6a1e5a..91fd980 100644
--- a/inventory/host_vars/yggdrasil/vars.yml
+++ b/inventory/host_vars/yggdrasil/vars.yml
@@ -185,6 +185,9 @@ services_host_services:
     inet6_address: "{{ vpn_bridge_inet6_prefix }}::9"
     restic: true
 
+services_host_rproxy_inet_address: "{{ services_all_services.lrproxy.inet_address }}"
+services_host_rproxy_inet6_address: "{{ services_all_services.lrproxy.inet6_address }}"
+
 # --------------------------------------------------------------------------------------------------
 # services:backups
 # --------------------------------------------------------------------------------------------------
diff --git a/playbooks/roles/services/deploy/git/tasks/main.yml b/playbooks/roles/services/deploy/git/tasks/main.yml
index 610298e..46c6029 100644
--- a/playbooks/roles/services/deploy/git/tasks/main.yml
+++ b/playbooks/roles/services/deploy/git/tasks/main.yml
@@ -13,10 +13,29 @@
         mode: 0644
       register: services_deploy_git_hosts_file
 
+    - name: "{{ services_service_name }} : configure gitea runner"
+      ansible.builtin.template:
+        src: "./runner.yml"
+        dest: "{{ services_service_user_home }}/.config/service/runner.yml"
+        mode: 0644
+      register: services_deploy_git_runner_config
+
+    - name: "{{ services_service_name }} : enable and start podman.socket"
+      ansible.builtin.systemd:
+        name: "podman.socket"
+        enabled: true
+        state: "started"
+        scope: "user"
+      register: services_deploy_git_podman_socket
+
   become_user: "{{ services_service_user_name }}"
 
 - name: "{{ services_service_name }} : configure systemd service"
   ansible.builtin.include_role:
     name: "services/deploy/pod"
   vars:
-    services_deploy_pod_needs_restart: "{{ services_deploy_git_hosts_file.changed }}"
+    services_deploy_pod_needs_restart: "{{
+      services_deploy_git_hosts_file.changed or
+      services_deploy_git_runner_config.changed or
+      services_deploy_git_podman_socket.changed
+    }}"
diff --git a/playbooks/roles/services/deploy/git/templates/hosts b/playbooks/roles/services/deploy/git/templates/hosts
index 37dc691..6891964 100644
--- a/playbooks/roles/services/deploy/git/templates/hosts
+++ b/playbooks/roles/services/deploy/git/templates/hosts
@@ -5,5 +5,8 @@ ff02::2         ip6-allrouters
 
 127.0.1.1       pod-git
 
+{{ services_host_rproxy_inet6_address }} {{ services['git'].domain }}
+{{ services_host_rproxy_inet_address }} {{ services['git'].domain }}
+
 {{ services_all_services['database'].inet6_address }} pod-database
 {{ services_all_services['database'].inet_address }} pod-database
diff --git a/playbooks/roles/services/deploy/git/templates/runner.yml b/playbooks/roles/services/deploy/git/templates/runner.yml
new file mode 100644
index 0000000..f13506e
--- /dev/null
+++ b/playbooks/roles/services/deploy/git/templates/runner.yml
@@ -0,0 +1,90 @@
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 1
+  # Extra environment variables to run jobs.
+  envs:
+    A_TEST_ENV_NAME_1: a_test_env_value_1
+    A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  labels: ["debian-latest:docker://node:latest"]
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: "{{ services_all_services[services_service_name].inet_address }}"
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: {{ services[services_service_name].runner.cache_port }}
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: ""
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  # These options appear to be ignored, either by podman socket or the runner.
+  options: "--security-opt label=disable"
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: false
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:
diff --git a/playbooks/roles/services/deploy/git/vars/main.yml b/playbooks/roles/services/deploy/git/vars/main.yml
index 2fdd351..5e27c88 100644
--- a/playbooks/roles/services/deploy/git/vars/main.yml
+++ b/playbooks/roles/services/deploy/git/vars/main.yml
@@ -2,6 +2,7 @@
 services_deploy_pod:
   wants:
     - "gitea"
+    - "runner"
   containers:
     gitea:
       image: "docker.io/gitea/gitea:{{ services_service_deploy_versions.gitea }}"
@@ -31,3 +32,19 @@ services_deploy_pod:
         - "-e GITEA__mailer__PASSWD=\"{{ services[services_service_name].smtp.password }}\""
         - "-e GITEA__service__DISABLE_REGISTRATION=\"true\""
         - "-e GITEA__service__ENABLE_NOTIFY_MAIL=\"true\""
+    runner:
+      image: "docker.io/gitea/act_runner:{{ services_service_deploy_versions.act_runner }}"
+      podman_run_args:
+        - "-v ./.config/service/hosts:/etc/hosts:ro"
+        - "-v ./.config/service/runner.yml:/config.yaml"
+        - "-v {{ services_data_directory }}/pod-git/runner/_data:/data"
+        - "-v /etc/timezone:/etc/timezone:ro"
+        - "-v /etc/localtime:/etc/localtime:ro"
+        - "-v %t/podman/podman.sock:%t/podman/podman.sock"
+        - "-e DOCKER_HOST=unix://%t/podman/podman.sock"
+        - "-e CONFIG_FILE=/config.yaml"
+        - "-e GITEA_INSTANCE_URL=https://{{ services[services_service_name].domain }}"
+        - "-e GITEA_RUNNER_REGISTRATION_TOKEN={{
+              services[services_service_name].runner.registration_token }}"
+        - "-e GITEA_RUNNER_NAME=main"
+        - "--security-opt label=disable"
diff --git a/playbooks/vars/services/deploy/versions.yml b/playbooks/vars/services/deploy/versions.yml
index f42df2a..046a09e 100644
--- a/playbooks/vars/services/deploy/versions.yml
+++ b/playbooks/vars/services/deploy/versions.yml
@@ -17,6 +17,7 @@ services_deploy_versions:
     redis: "7"
   git:
     gitea: "1"
+    act_runner: "latest"
   notes:
     joplin: "2-beta"
   music:
diff --git a/playbooks/vars/services/volumes.yml b/playbooks/vars/services/volumes.yml
index 8499cf1..6cc2fe6 100644
--- a/playbooks/vars/services/volumes.yml
+++ b/playbooks/vars/services/volumes.yml
@@ -19,6 +19,7 @@ services_volumes:
     external:
   git:
     data:
+    runner:
   notes:
     data:
   music: