diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
index aae572c..6531f8e 100644
--- a/.forgejo/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -15,6 +15,9 @@ jobs:
           echo "${{secrets.FORGEJO_SSH_KEY}}" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
           ssh-keyscan github.com >> ~/.ssh/known_hosts
+          ssh-keyscan sisko.wg.aciceri.dev >> ~/.ssh/known_hosts
+          ln -s ~/.ssh/id_ed25519 /home/ccr/.ssh/id_rsa
+          ls -l /home/ccr/.ssh -l
       - name: Build with nix
         run: nix-fast-build --no-nom --systems "x86_64-linux aarch64-linux" --attic-cache "nixfleet" --skip-cached --result-file result.json || true
       - name: Report checks
diff --git a/.forgejo/workflows/update-flake-lock.yaml b/.forgejo/workflows/update-flake-lock.yaml
index abe16bd..7a45fc4 100644
--- a/.forgejo/workflows/update-flake-lock.yaml
+++ b/.forgejo/workflows/update-flake-lock.yaml
@@ -1,7 +1,7 @@
 name: update-flake-lock
 on:
   schedule:
-    - cron: "0 15 * * 1" # weekly on Monday at 15:00
+    - cron: "0 15 * * *" # daily at 15:00
 
 jobs:
   lockfile:
diff --git a/lib/default.nix b/lib/default.nix
index 3d15451..4330d49 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -4,7 +4,6 @@
       ccr-ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIm9Sl/I+5G4g4f6iE4oCUJteP58v+wMIew9ZuLB+Gea";
       oneplus8t = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8da1Mf11vXFF0kVDgxocVoGwpHHMEs9emS9T+v8hLb oneplus8t";
       hercules-ci-agent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPupm00BiveTIYF6CNwuMijF5VvEaPDMjvt+vMlAy+N hercules-ci-agent";
-      forgejo-ci = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5mbqLoZ/0J45J7J+17XMGv/dXs3DGABJsnvDv4rgC9 forgjeo-ci";
     };
     hosts = {
       kirk = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAH49KzayIro3L1bteR7nwupMM/vKlDh05t5/DFD9/uz";
diff --git a/modules/forgejo-runners/default.nix b/modules/forgejo-runners/default.nix
index f6d7682..3234a46 100644
--- a/modules/forgejo-runners/default.nix
+++ b/modules/forgejo-runners/default.nix
@@ -17,7 +17,6 @@ let
         gnugrep
         gawk
         git
-        openssh
         nix
         bash
         jq
@@ -39,6 +38,15 @@ let
     cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
   '';
   numInstances = 1;
+  pushToCache = pkgs.writeScript "push-to-cache.sh" ''
+    #!/bin/sh
+    set -eu
+    set -f # disable globbing
+    export IFS=' '
+
+    echo "Uploading paths" $OUT_PATHS
+    exec nix copy --to "s3://cache?profile=default&region=eu-south-1&scheme=https&endpoint=cache.aciceri.dev" $OUT_PATHS
+  '';
 in
 lib.mkMerge [
   {
@@ -72,6 +80,7 @@ lib.mkMerge [
         cat <<NIX_CONFIG > etc/nix/nix.conf
         accept-flake-config = true
         experimental-features = nix-command flakes
+        post-build-hook = ${pushToCache}
         include access-tokens
         NIX_CONFIG
 
@@ -112,9 +121,22 @@ lib.mkMerge [
     nix.settings.trusted-users = [ "nixuser" ];
   }
   {
+    # Format of the token file:
     virtualisation = {
       podman.enable = true;
     };
+
+    # virtualisation.containers.storage.settings = {
+    #   storage.driver = "zfs";
+    #   storage.graphroot = "/var/lib/containers/storage";
+    #   storage.runroot = "/run/containers/storage";
+    #   storage.options.zfs.fsname = "zroot/root/podman";
+    # };
+
+    # virtualisation.containers.containersConf.settings = {
+    #   # podman seems to not work with systemd-resolved
+    #   containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
+    # };
   }
   {
     systemd.services =