diff --git a/modules/nixos/caddy.nix b/modules/nixos/caddy.nix
index f915d04..5218b09 100644
--- a/modules/nixos/caddy.nix
+++ b/modules/nixos/caddy.nix
@@ -1,6 +1,6 @@
 {
   systemd.tmpfiles.rules = [
-    "d /var/www/jankremer.de 755 forgejo-runner users -"
+    "d /var/www/jankremer.de 755 gitea-runner users -"
   ];
 
   services.caddy = {
diff --git a/modules/nixos/forgejo.nix b/modules/nixos/forgejo.nix
index d414478..3abc895 100644
--- a/modules/nixos/forgejo.nix
+++ b/modules/nixos/forgejo.nix
@@ -14,9 +14,17 @@ in
   };
   age.secrets.forgejo-runner = {
     file = ../../modules/secrets/forgejo-runner.age;
-    owner = "forgejo";
+    owner = "gitea-runner";
   };
 
+  users.users.gitea-runner = {
+    isSystemUser = true;
+    group = "gitea-runner";
+  };
+  users.groups.gitea-runner = {};
+
+  systemd.services."gitea-runner-nimbus".serviceConfig.ReadWritePaths = [ "/var/www/jankremer.de" ];
+
   services = {
     forgejo = {
       enable = true;