diff --git a/bootstrap/gitea-actions/act-runner.yaml b/bootstrap/gitea-actions/act-runner.yaml
new file mode 100644
index 0000000..c0891e8
--- /dev/null
+++ b/bootstrap/gitea-actions/act-runner.yaml
@@ -0,0 +1,122 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea-actions
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-act-runner-data
+  namespace: gitea-actions
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: local-path
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: act-runner-config
+  namespace: gitea-actions
+data:
+  config.yaml: |
+    log:
+      level: info
+    runner:
+      file: /data/.runner
+      capacity: 1
+      timeout: 3h
+      labels:
+        - "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
+    cache:
+      enabled: false
+    container:
+      docker_host: "unix:///var/run/docker.sock"
+      force_pull: true
+      require_docker: true
+      docker_timeout: 60s
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-act-runner
+  namespace: gitea-actions
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-act-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-act-runner
+    spec:
+      volumes:
+        - name: runner-data
+          persistentVolumeClaim:
+            claimName: gitea-act-runner-data
+        - name: runner-config
+          configMap:
+            name: act-runner-config
+        - name: dind-socket
+          emptyDir: {}
+        - name: dind-data
+          emptyDir: {}
+      initContainers:
+        - name: register
+          image: gitea/act_runner:0.2.13
+          env:
+            - name: GITEA_INSTANCE
+              value: https://rv32i.pl
+            - name: REG_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: act-runner-registration-token
+                  key: token
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+            - name: runner-config
+              mountPath: /etc/act_runner
+          command: ["/bin/sh", "-ec"]
+          args:
+            - |
+              if [ -f /data/.runner ]; then
+                echo "runner already registered";
+                exit 0;
+              fi
+              act_runner --config /etc/act_runner/config.yaml register \
+                --no-interactive \
+                --instance "${GITEA_INSTANCE}" \
+                --token "${REG_TOKEN}" \
+                --name "k3s-qstack" \
+                --labels "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
+      containers:
+        - name: dind
+          image: docker:27-dind
+          securityContext:
+            privileged: true
+          env:
+            - name: DOCKER_TLS_CERTDIR
+              value: ""
+          volumeMounts:
+            - name: dind-socket
+              mountPath: /var/run
+            - name: dind-data
+              mountPath: /var/lib/docker
+        - name: runner
+          image: gitea/act_runner:0.2.13
+          env:
+            - name: DOCKER_HOST
+              value: unix:///var/run/docker.sock
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+            - name: runner-config
+              mountPath: /etc/act_runner
+            - name: dind-socket
+              mountPath: /var/run
+          command: ["act_runner", "--config", "/etc/act_runner/config.yaml", "daemon"]