diff --git a/flake.nix b/flake.nix
index d7c7402..d30e4ec 100644
--- a/flake.nix
+++ b/flake.nix
@@ -77,6 +77,7 @@
             targetHost = "github-runner";
             targetUser = "srid";
             keys."github-runner-token.secret" = {
+              user = "github-runner";
               keyCommand = read1Password "github-runner-token";
             };
           };
diff --git a/systems/github-runner.nix b/systems/github-runner.nix
index 86a91a6..d044e96 100644
--- a/systems/github-runner.nix
+++ b/systems/github-runner.nix
@@ -3,7 +3,7 @@
 # - [ ] Colmena deploy, with keys from 1Password.
 # - [ ] Github Runners
 # - [ ] Distributed builder to host (macOS)
-{ flake, pkgs, lib, ... }:
+{ flake, pkgs, ... }:
 
 let
   inherit (flake) inputs;
@@ -14,6 +14,7 @@ in
     inputs.disko.nixosModules.disko
     "${self}/nixos/disko/trivial.nix"
     "${self}/nixos/parallels-vm.nix"
+    "${self}/nixos/nix.nix"
     "${self}/nixos/self/primary-as-admin.nix"
     "${self}/nixos/server/harden/basics.nix"
   ];
@@ -28,6 +29,28 @@ in
       efi.canTouchEfiVariables = true;
     };
   };
-  nix.settings.trusted-users = [ "root" "@wheel" ];
   services.openssh.enable = true;
+
+  # Runners
+  users.users.github-runner = {
+    isSystemUser = true;
+    group = "github-runner";
+  };
+  users.groups.github-runner = { };
+  nix.settings.trusted-users = [ "github-runner" ];
+  services.github-runners = {
+    perpetuum = {
+      enable = true;
+      replace = true;
+      tokenFile = "/run/keys/github-runner-token.secret";
+      extraPackages = with pkgs; [
+        coreutils
+        nixci
+      ];
+      user = "github-runner";
+      group = "github-runner";
+      url = "https://github.com/srid/perpetuum";
+      name = "perpetuum-1";
+    };
+  };
 }