diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1653c98..6efa7e1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,8 +8,7 @@ env:
 
 jobs:
   build:
-    runs-on: docker
-    container: nixpkgs/nix-flakes:nixos-24.05
+    runs-on: nix
     steps:
       - name: Initialize CI
         uses: https://git.qo.is/qo.is/actions-nix-init@main
diff --git a/defaults/base-minimal/default.nix b/defaults/base-minimal/default.nix
index 4d530f9..bd2948f 100644
--- a/defaults/base-minimal/default.nix
+++ b/defaults/base-minimal/default.nix
@@ -78,16 +78,6 @@
     '';
   };
 
-  system.autoUpgrade = {
-    enable = true;
-    randomizedDelaySec = "30m";
-    flags = [
-      "--update-input"
-      "nixpkgs-nixos-2211"
-      "--commit-lock-file"
-    ];
-  };
-
   # Network services
   networking.firewall = {
     allowPing = true;
diff --git a/nixos-modules/qois/git-ci-runner/default.nix b/nixos-modules/qois/git-ci-runner/default.nix
index fbdcd15..b074f74 100644
--- a/nixos-modules/qois/git-ci-runner/default.nix
+++ b/nixos-modules/qois/git-ci-runner/default.nix
@@ -32,7 +32,8 @@ with lib;
 
       sops.secrets."forgejo/runner-registration-token".restartUnits = [
         "gitea-runner-${defaultInstanceName}.service"
-      ];
+      ] ++genAttrs (genList (n: "gitea-runner-nix${builtins.toString n}.service") cfg.nixInstances)
+      ;
 
       virtualisation.podman = {
         enable = true;
@@ -60,7 +61,6 @@ with lib;
               capacity = 30;
             };
             cache.enable = true; # TODO: This should probably be a central cache server?
-            # the default network that also respects our dns server settings
             container.network = "host";
           };
         };
@@ -142,17 +142,10 @@ with lib;
         storage.runroot = "/run/containers/storage";
       };
 
-      #virtualisation.containers.containersConf.settings = {
-      #  # podman seems to not work with systemd-resolved
-      #  containers.dns_servers = [
-      #    "8.8.8.8"
-      #    "8.8.4.4"
-      #  ];
-      #};
     }
     {
       systemd.services =
-        genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") cfg.nixInstances)
+        genAttrs (genList (n: "gitea-runner-nix${builtins.toString n}") cfg.nixInstances)
           (name: {
             after = [
               "gitea-runner-nix-image.service"
@@ -239,15 +232,16 @@ with lib;
             mkdir -p $out/bin
             for dir in ${
               toString [
+                pkgs.bash
                 pkgs.coreutils
                 pkgs.findutils
-                pkgs.gnugrep
                 pkgs.gawk
                 pkgs.git
-                pkgs.nix
-                pkgs.bash
+                pkgs.gnugrep
                 pkgs.jq
+                pkgs.nix
                 pkgs.nodejs
+                pkgs.openssh
               ]
             }; do
               for bin in "$dir"/bin/*; do
@@ -260,7 +254,7 @@ with lib;
             cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
           '';
         in
-        genAttrs (builtins.genList (n: "nix${builtins.toString n}") cfg.nixInstances) (name: {
+        genAttrs (genList (n: "nix${builtins.toString n}") cfg.nixInstances) (name: {
           enable = true;
           name = "${config.networking.hostName}-${name}";
           url = "https://${cfg.domain}";
@@ -268,7 +262,6 @@ with lib;
           labels = [ "nix:docker://gitea-runner-nix" ];
           settings = {
             container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
-            # the default network that also respects our dns server settings
             container.network = "host";
             container.valid_volumes = [
               "/nix"