diff --git a/.gitea/workflows/flake.yaml b/.gitea/workflows/flake.yaml
index df2706f..96c39f8 100644
--- a/.gitea/workflows/flake.yaml
+++ b/.gitea/workflows/flake.yaml
@@ -12,11 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Prepare for Nix installation
-        run: |
-          apt-get update
-          apt-get install -y sudo
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: DeterminateSystems/nix-installer-action@v13
+      - uses: DeterminateSystems/magic-nix-cache-action@v7
       - name: lint
         run: |
           nix fmt
diff --git a/modules/services/gitea/actions.nix b/modules/services/gitea/actions.nix
index 14dd8a9..8e0d7ea 100644
--- a/modules/services/gitea/actions.nix
+++ b/modules/services/gitea/actions.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, nixpkgs-unstable, ... }:
 
 let
   cfg = config.custom.services.gitea.actions;
@@ -53,6 +53,7 @@ in
 
           services.gitea-actions-runner.instances.container = {
             enable = true;
+            package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea-actions-runner;
             url = "https://gitea.hillion.co.uk";
             tokenFile = hostConfig.age.secrets."gitea/actions/token".path;
 
@@ -63,6 +64,11 @@ in
               runner = {
                 capacity = 3;
               };
+              cache = {
+                enabled = true;
+                host = "172.18.0.1";
+                port = 41919;
+              };
             };
           };
 
@@ -73,6 +79,9 @@ in
               enable = true;
               ruleset = ''
                 table inet filter {
+                  chain input {
+                    type filter hook input priority filter; policy accept;
+                  }
                   chain output {
                     type filter hook output priority 100; policy accept;