diff --git a/services/actions-runner/default.nix b/services/actions-runner/default.nix
index 5730cb2..af4da66 100644
--- a/services/actions-runner/default.nix
+++ b/services/actions-runner/default.nix
@@ -1,5 +1,9 @@
 { config, pkgs, ... }:
 {
+  # Trust podman interfaces so containers can reach the runner's cache service.
+  # "podman+" is a wildcard matching any interface starting with "podman".
+  networking.firewall.trustedInterfaces = [ "podman+" ];
+
   virtualisation.podman = {
     enable = true;
     dockerCompat = true;