diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 1a244c84f..cb7f3d830 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -10,12 +10,13 @@ on:
 permissions: {}
 
 env:
-  flake: "github:${{ github.repository }}/${{ github.sha }}"
+  flake: github:${{ github.repository }}/${{ github.sha }}
   nix-conf: |-
     accept-flake-config = true
     builders-use-substitutes = true
     max-jobs = auto
-  aarch64-host: "aarch64.nixos.community"
+  cachix-install: nix profile install 'github:${{ github.repository }}/${{ github.sha }}#cachix'
+  aarch64-host: aarch64.nixos.community
   aarch64-ssh-config: |-
     Host aarch64.nixos.community 147.28.143.250
         User lovesegfault
@@ -36,6 +37,7 @@ jobs:
           name: nix-config
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
           extraPullNames: nix-community
+          installCommand: ${{ env.cachix-install }}
       - name: nix-flake-check
         run: nix flake check '${{ env.flake }}'
   flake-show:
@@ -49,6 +51,7 @@ jobs:
           name: nix-config
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
           extraPullNames: nix-community
+          installCommand: ${{ env.cachix-install }}
       - name: nix-flake-show
         run: nix flake show '${{ env.flake }}'
   get-attrs:
@@ -62,6 +65,8 @@ jobs:
       - uses: DeterminateSystems/nix-installer-action@v5
         with:
           extra-conf: ${{ env.nix-conf }}
+      - id: install-jq
+        run: nix profile install '${{ env.flake }}#pkgs.x86_64-linux.jq'
       - id: get-attrs
         run: |
           function summary() {
@@ -69,7 +74,6 @@ jobs:
           }
 
           summary "# CI"
-          nix profile install '${{ env.flake }}#pkgs.x86_64-linux.jq'
           TMP="$(mktemp -d)"
           # host packages
           nix eval --json '${{ env.flake }}#hosts' | jq -c '
@@ -78,6 +82,7 @@ jobs:
                 name: .key,
                 evalOnly: false,
                 hostPlatform: .value.hostPlatform,
+                large: .value.large,
                 attr: "packages.\(.value.hostPlatform).\(.key)"
             })
             | map(
@@ -167,6 +172,7 @@ jobs:
           name: nix-config
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
           extraPullNames: nix-community
+          installCommand: ${{ env.cachix-install }}
       - name: eval
         if: ${{ matrix.attrs.evalOnly }}
         run: |
@@ -192,6 +198,7 @@ jobs:
           name: nix-config
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
           extraPullNames: nix-community
+          installCommand: ${{ env.cachix-install }}
       - name: setup-aarch64-ssh
         if: ${{ env.system == 'aarch64-linux' }}
         run: |
diff --git a/flake.nix b/flake.nix
index c613b67cf..fce29bd2d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -119,8 +119,11 @@
       pkgs = forAllSystems (localSystem: import nixpkgs {
         inherit localSystem;
         overlays = [ self.overlays.default ];
-        config.allowUnfree = true;
-        config.allowAliases = true;
+        config = {
+          permittedInsecurePackages = [ "nodejs-16.20.2" ];
+          allowUnfree = true;
+          allowAliases = true;
+        };
       });
 
       checks = forAllSystems (import ./nix/checks.nix inputs);
diff --git a/hosts/jung/default.nix b/hosts/jung/default.nix
index a41d4f57a..4c6d94195 100644
--- a/hosts/jung/default.nix
+++ b/hosts/jung/default.nix
@@ -12,6 +12,7 @@
     ../../hardware/nixos-aarch64-builder
 
     ../../services/blocky.nix
+    ../../services/github-runner.nix
     ../../services/grafana.nix
     ../../services/nginx.nix
     ../../services/oauth2.nix
diff --git a/nix/dev-shell.nix b/nix/dev-shell.nix
index 28c579bcc..b6ab7ec68 100644
--- a/nix/dev-shell.nix
+++ b/nix/dev-shell.nix
@@ -10,13 +10,13 @@ with self.pkgs.${hostPlatform};
     nativeBuildInputs = [
       # Nix
       agenix
-      cachix
       deploy-rs.deploy-rs
       nil
       nix-melt
       nix-output-monitor
       nix-tree
       nixpkgs-fmt
+      self.packages.${hostPlatform}.cachix
       self.packages.${hostPlatform}.nix-eval-jobs
       self.packages.${hostPlatform}.nix-fast-build
       statix
diff --git a/nix/hosts.nix b/nix/hosts.nix
index 6a8b0743b..8de1a02a6 100644
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -1,71 +1,105 @@
+let
+  hasSuffix = suffix: content:
+    let
+      inherit (builtins) stringLength substring;
+      lenContent = stringLength content;
+      lenSuffix = stringLength suffix;
+    in
+    lenContent >= lenSuffix
+    && substring (lenContent - lenSuffix) lenContent content == suffix
+  ;
+
+  mkHost =
+    { type
+    , hostPlatform
+    , address ? null
+    , pubkey ? null
+    , homeDirectory ? null
+    , remoteBuild ? true
+    , large ? false
+    }:
+    if type == "nixos" then
+      assert address != null && pubkey != null;
+      assert (hasSuffix "linux" hostPlatform);
+      {
+        inherit type hostPlatform address pubkey remoteBuild large;
+      }
+    else if type == "darwin" then
+      assert pubkey != null;
+      assert (hasSuffix "darwin" hostPlatform);
+      {
+        inherit type hostPlatform pubkey large;
+      }
+    else if type == "home-manager" then
+      assert homeDirectory != null;
+      {
+        inherit type hostPlatform homeDirectory large;
+      }
+    else throw "unknown host type '${type}'";
+in
 {
-  aurelius = {
+  aurelius = mkHost {
     type = "nixos";
     address = "100.69.178.40";
     hostPlatform = "aarch64-linux";
     pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRlfGCSK2w34ckIGoRHaZ01CbF/7Zk4VNmyokkvg7cF";
     remoteBuild = false;
   };
-  bohr = {
+  bohr = mkHost {
     type = "nixos";
     address = "100.123.20.11";
     hostPlatform = "x86_64-linux";
     pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTh+kYOeeYoBuxvA00nGojfBHUQlXW3iF7aRIw9VbY1";
-    remoteBuild = true;
   };
-  derrida = {
+  derrida = mkHost {
     type = "home-manager";
     hostPlatform = "x86_64-linux";
     homeDirectory = "/home/bemeurer";
   };
-  fourier = {
+  fourier = mkHost {
     type = "nixos";
     address = "100.77.107.1";
     hostPlatform = "x86_64-linux";
     pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMJEc036Z0umFUeSgksRgBWhcEeqiVhuXNQZTipZVRMn";
-    remoteBuild = true;
   };
-  goethe = {
+  goethe = mkHost {
     type = "home-manager";
     hostPlatform = "x86_64-linux";
     homeDirectory = "/home/bemeurer";
   };
-  jung = {
+  jung = mkHost {
     type = "nixos";
     address = "100.80.1.112";
     hostPlatform = "x86_64-linux";
     pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHws1wwXYHDmU+Bjcbw8IZv2V+fbxaTDQc44XoUQ604t";
-    remoteBuild = true;
   };
-  luther = {
+  luther = mkHost {
     type = "home-manager";
     hostPlatform = "aarch64-linux";
     homeDirectory = "/home/bemeurer";
   };
-  nozick = {
+  nozick = mkHost {
     type = "nixos";
     address = "100.124.29.84";
     hostPlatform = "x86_64-linux";
     pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEzb5JCgcXJZHDkY09vBAvIF34JabI+ZBpGqJDy6KbI";
-    remoteBuild = true;
   };
-  poincare = {
+  poincare = mkHost {
     type = "darwin";
     hostPlatform = "aarch64-darwin";
     pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMYvFEyV+nebaTfrwAULWDmCk0L6O+1OyZc43JnizcIB";
   };
-  riemann = {
+  riemann = mkHost {
     type = "nixos";
     address = "100.67.173.60";
     hostPlatform = "aarch64-linux";
     pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOof4536ylMfznpkKbH/kqiuCOs2hCLXMBnF9md462sW";
-    remoteBuild = true;
   };
-  spinoza = {
+  spinoza = mkHost {
     type = "nixos";
     address = "100.68.240.30";
     hostPlatform = "x86_64-linux";
     pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUZPmPTATZ4nBWstPqlUiguvxr26XWAE9BGPVNNRBR5";
-    remoteBuild = true;
+    large = true;
   };
 }
diff --git a/nix/packages.nix b/nix/packages.nix
index e1556e8ec..a891bbd26 100644
--- a/nix/packages.nix
+++ b/nix/packages.nix
@@ -22,5 +22,5 @@ compatHostDrvs
   default = compatHostsFarm;
 }) // {
   inherit (nix-fast-build.packages.${hostPlatform}) nix-fast-build;
-  inherit (self.pkgs.${hostPlatform}) nix-eval-jobs;
+  inherit (self.pkgs.${hostPlatform}) cachix nix-eval-jobs;
 }
diff --git a/secrets.nix b/secrets.nix
index 7e3228814..92da732b2 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -3,7 +3,7 @@ let
 
   bemeurer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQgTWfmR/Z4Szahx/uahdPqvEP/e/KQ1dKUYLenLuY2";
 
-  hosts = mapAttrs (_: v: v.pubkey) (import ./nix/hosts.nix).nixos;
+  hosts = mapAttrs (_: v: v.pubkey) (import ./nix/hosts.nix);
 
   secrets = with hosts; {
     "hardware/nixos-aarch64-builder/key.age" = [ aurelius jung riemann spinoza ];
@@ -12,6 +12,7 @@ let
     "services/acme.age" = [ bohr fourier jung nozick riemann ];
     "services/oauth2.age" = [ bohr fourier jung nozick riemann ];
     "services/pihole.age" = [ ];
+    "services/github-runner.age" = [ jung ];
     "users/bemeurer/password.age" = attrValues hosts;
   };
 
diff --git a/services/github-runner.age b/services/github-runner.age
new file mode 100644
index 000000000..21e375655
Binary files /dev/null and b/services/github-runner.age differ
diff --git a/services/github-runner.nix b/services/github-runner.nix
new file mode 100644
index 000000000..54350fc73
--- /dev/null
+++ b/services/github-runner.nix
@@ -0,0 +1,13 @@
+{ config, pkgs, ... }: {
+  age.secrets.github-runner-token.file = ./github-runner.age;
+  services.github-runner = {
+    enable = true;
+    ephemeral = true;
+    replace = true;
+    tokenFile = config.age.secrets.github-runner-token.path;
+    url = "https://github.com/lovesegfault/nix-config";
+    nodeRuntimes = [ "node16" "node20" ];
+    extraLabels = [ pkgs.stdenv.hostPlatform.system ];
+    extraPackages = with pkgs; [ cachix ];
+  };
+}