diff --git a/hosts/nix-cache02/actions-runner.nix b/hosts/nix-cache02/actions-runner.nix
new file mode 100644
index 0000000..fcac442
--- /dev/null
+++ b/hosts/nix-cache02/actions-runner.nix
@@ -0,0 +1,16 @@
+{ ... }:
+{
+  # Fetch runner token from Vault
+  vault.secrets.forgejo-runner-token = {
+    secretPath = "hosts/nix-cache02/forgejo-runner-token";
+    extractKey = "token";
+    mode = "0444";
+    services = [ "gitea-runner-actions1" ];
+  };
+
+  # Override token source and runner capacity
+  services.gitea-actions-runner.instances.actions1 = {
+    tokenFile = "/run/secrets/forgejo-runner-token";
+    settings.runner.capacity = 4;
+  };
+}
diff --git a/hosts/nix-cache02/default.nix b/hosts/nix-cache02/default.nix
index 96e0439..9de4137 100644
--- a/hosts/nix-cache02/default.nix
+++ b/hosts/nix-cache02/default.nix
@@ -3,6 +3,8 @@
     ./configuration.nix
     ./builder.nix
     ./scheduler.nix
+    ./actions-runner.nix
     ../../services/nix-cache
+    ../../services/actions-runner
   ];
 }
\ No newline at end of file
diff --git a/services/actions-runner/default.nix b/services/actions-runner/default.nix
index af4da66..00af7c6 100644
--- a/services/actions-runner/default.nix
+++ b/services/actions-runner/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
   # Trust podman interfaces so containers can reach the runner's cache service.
   # "podman+" is a wildcard matching any interface starting with "podman".
@@ -17,7 +17,7 @@
       enable = true;
       name = config.networking.hostName;
       url = "https://code.t-juice.club";
-      tokenFile = "/var/lib/forgejo-runner/token";
+      tokenFile = lib.mkDefault "/var/lib/forgejo-runner/token";
       labels = [
         "nix:docker://code.t-juice.club/torjus/runner-images/nix:latest"
         "node-bookworm:docker://node:lts-bookworm-slim"
@@ -25,7 +25,7 @@
         "golang:docker://code.t-juice.club/torjus/runner-images/golang:latest"
       ];
       settings = {
-        runner.capacity = 2;
+        runner.capacity = lib.mkDefault 2;
         cache = {
           enabled = true;
           dir = "/var/lib/gitea-runner/actions1/cache";
diff --git a/terraform/vault/secrets.tf b/terraform/vault/secrets.tf
index 83416a6..2ad5abf 100644
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -145,6 +145,12 @@ locals {
       password_length = 64
     }
 
+    # Forgejo runner token for nix-cache02
+    "hosts/nix-cache02/forgejo-runner-token" = {
+      auto_generate = false
+      data          = { token = var.forgejo_runner_token }
+    }
+
     # Loki push authentication (used by Promtail on all hosts)
     "shared/loki/push-auth" = {
       auto_generate   = true
diff --git a/terraform/vault/variables.tf b/terraform/vault/variables.tf
index 7aae456..2c23774 100644
--- a/terraform/vault/variables.tf
+++ b/terraform/vault/variables.tf
@@ -109,3 +109,10 @@ variable "sonarr_api_key" {
   sensitive   = true
 }
 
+variable "forgejo_runner_token" {
+  description = "Forgejo Actions runner token for nix-cache02"
+  type        = string
+  default     = "PLACEHOLDER"
+  sensitive   = true
+}
+