diff --git a/.gitea/workflows/flake.yaml b/.gitea/workflows/flake.yaml
index df2706f..96c39f8 100644
--- a/.gitea/workflows/flake.yaml
+++ b/.gitea/workflows/flake.yaml
@@ -12,11 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Prepare for Nix installation
-        run: |
-          apt-get update
-          apt-get install -y sudo
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: DeterminateSystems/nix-installer-action@v13
+      - uses: DeterminateSystems/magic-nix-cache-action@v7
       - name: lint
         run: |
           nix fmt
diff --git a/modules/services/gitea/actions.nix b/modules/services/gitea/actions.nix
index 14dd8a9..ebefb25 100644
--- a/modules/services/gitea/actions.nix
+++ b/modules/services/gitea/actions.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, nixpkgs-unstable, ... }:
 
 let
   cfg = config.custom.services.gitea.actions;
@@ -63,6 +63,11 @@ in
               runner = {
                 capacity = 3;
               };
+              cache = {
+                enabled = true;
+                host = "10.108.27.2";
+                port = 41919;
+              };
             };
           };
 
@@ -73,9 +78,14 @@ in
               enable = true;
               ruleset = ''
                 table inet filter {
+                  chain input {
+                    type filter hook input priority filter; policy accept;
+                  }
                   chain output {
                     type filter hook output priority 100; policy accept;
 
+                    ct state { established, related } counter accept
+
                     ip daddr 10.0.0.0/8 drop
                     ip daddr 100.64.0.0/10 drop
                     ip daddr 172.16.0.0/12 drop