diff --git a/roles/forgejo-runner/handlers/main.yml b/roles/forgejo-runner/handlers/main.yml
new file mode 100644
index 0000000..0f36fcb
--- /dev/null
+++ b/roles/forgejo-runner/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: restart forgejo-runner
+  service:
+    name: forgejo-runner
+    state: restarted
+  when: '"handler" not in ansible_skip_tags'
diff --git a/roles/forgejo-runner/tasks/main.yml b/roles/forgejo-runner/tasks/main.yml
new file mode 100644
index 0000000..6d228e6
--- /dev/null
+++ b/roles/forgejo-runner/tasks/main.yml
@@ -0,0 +1,81 @@
+- name: Install forgejo-runner
+  package:
+    name:
+      - forgejo-runner
+      - podman
+
+- name: Get forgejo-runner user
+  user:
+    name: forgejo-runner
+  register: user_info
+
+- name: Secure forgejo-runner homedir
+  file:
+    path: '{{ user_info.home }}'
+    mode: '0700'
+
+- name: Configure subuid
+  lineinfile:
+    path: /etc/subuid
+    line: '{{ user_info.name }}:{{ user_info.uid }}00000:65536'
+    regexp: '^{{ user_info.name }}:'
+
+- name: Configure subgid
+  lineinfile:
+    path: /etc/subgid
+    line: '{{ user_info.name }}:{{ user_info.group }}00000:65536'
+    regexp: '^{{ user_info.name }}:'
+
+- name: Create podman service for forgejo-runner
+  file:
+    path: /etc/init.d/podman.forgejo-runner
+    src: podman
+    state: link
+
+- name: Configure podman service for forgejo-runner
+  template:
+    dest: "/etc/conf.d/podman.{{ user_info.name }}"
+    src: podman.j2
+
+- name: Configure forgejo-runner
+  template:
+    dest: /etc/forgejo-runner/config.yaml
+    src: config.yaml.j2
+    owner: forgejo-runner
+    group: forgejo-runner
+    mode: 0600
+  notify: restart forgejo-runner
+
+- name: Check runner registration
+  stat:
+    path: /var/lib/forgejo-runner/.runner
+  register: runner_config
+
+- name: Register runner
+  when: not runner_config.stat.exists
+  notify: restart forgejo-runner
+  block:
+    - name: Get runner token
+      delegate_to: "{{ git_host }}"
+      become: yes
+      become_user: forgejo
+      command: forgejo actions generate-runner-token
+      register: token
+
+    - name: Register runner
+      become: yes
+      become_user: forgejo-runner
+      command: |
+        forgejo-runner register --no-interactive --name runner
+            --instance 'https://{{ hostvars[git_host].dns_name }}'
+            --token '{{ token.stdout }}'
+      notify: restart forgejo-runner
+
+- name: Enable forgejo-runner services
+  service:
+    name: '{{ item }}'
+    state: started
+    enabled: yes
+  loop:
+    - podman.forgejo-runner
+    - forgejo-runner
diff --git a/roles/forgejo-runner/templates/config.yaml.j2 b/roles/forgejo-runner/templates/config.yaml.j2
new file mode 100644
index 0000000..85e1530
--- /dev/null
+++ b/roles/forgejo-runner/templates/config.yaml.j2
@@ -0,0 +1,9 @@
+runner:
+  file: .runner
+  env_file: .env
+  insecure: false
+  labels: []
+
+container:
+  docker_host: "unix://{{ user_info.home }}/podman.sock"
+  network: "host"
diff --git a/roles/forgejo-runner/templates/podman.j2 b/roles/forgejo-runner/templates/podman.j2
new file mode 100644
index 0000000..8cfcad7
--- /dev/null
+++ b/roles/forgejo-runner/templates/podman.j2
@@ -0,0 +1,2 @@
+podman_user="{{ user_info.name }}"
+podman_uri="unix://{{ user_info.home }}/podman.sock"
diff --git a/roles/forgejo/handlers/main.yml b/roles/forgejo/handlers/main.yml
index ef8c7bf..c895c91 100644
--- a/roles/forgejo/handlers/main.yml
+++ b/roles/forgejo/handlers/main.yml
@@ -10,13 +10,3 @@
     state: restarted
   notify: wait for forgejo
   when: '"handler" not in ansible_skip_tags'
-
-- name: restart forgejo-runner
-  service:
-    name: forgejo-runner
-    state: restarted
-  when: '"handler" not in ansible_skip_tags'
-
-- name: wait for forgejo
-  wait_for:
-    path: /var/lib/forgejo/socket
diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml
index 78badb9..11f8ccf 100644
--- a/roles/forgejo/tasks/main.yml
+++ b/roles/forgejo/tasks/main.yml
@@ -2,8 +2,6 @@
   package:
     name:
       - forgejo
-      - forgejo-runner
-      - podman
 
 - name: Create nginx site
   template:
@@ -76,72 +74,3 @@
       register: result
       changed_when: 'result.rc == 0'
       failed_when: 'result.rc != 0 and "login source already exists" not in result.stderr'
-
-- name: Get forgejo-runner user
-  user:
-    name: forgejo-runner
-  register: user_info
-
-- name: Configure subuid
-  lineinfile:
-    path: /etc/subuid
-    line: '{{ user_info.name }}:{{ user_info.uid }}00000:65536'
-    regexp: '^{{ user_info.name }}:'
-
-- name: Configure subgid
-  lineinfile:
-    path: /etc/subgid
-    line: '{{ user_info.name }}:{{ user_info.group }}00000:65536'
-    regexp: '^{{ user_info.name }}:'
-
-- name: Create podman service for forgejo-runner
-  file:
-    path: /etc/init.d/podman.forgejo-runner
-    src: podman
-    state: link
-
-- name: Configure podman service for forgejo-runner
-  copy:
-    dest: /etc/conf.d/podman.forgejo-runner
-    content: podman_user="forgejo-runner"
-
-- name: Configure forgejo-runner
-  template:
-    dest: /etc/forgejo-runner/config.yaml
-    src: config.yaml.j2
-    owner: forgejo-runner
-    group: forgejo-runner
-    mode: 0600
-  notify: restart forgejo-runner
-
-- name: Check runner registration
-  stat:
-    path: /var/lib/forgejo-runner/.runner
-  register: runner_config
-
-- name: Register runner
-  when: not runner_config.stat.exists
-  notify: restart forgejo-runner
-  block:
-    - name: Get runner token
-      become: yes
-      become_user: forgejo
-      command: forgejo actions generate-runner-token
-      register: token
-
-    - name: Register runner
-      become: yes
-      become_user: forgejo-runner
-      command: |
-        forgejo-runner register --no-interactive --name runner
-            --instance https://git.fri.uni-lj.si
-            --token '{{ token.stdout }}'
-
-- name: Enable forgejo-runner services
-  service:
-    name: '{{ item }}'
-    state: started
-    enabled: yes
-  loop:
-    - forgejo-runner
-    - podman.forgejo-runner
diff --git a/roles/forgejo/templates/config.yaml.j2 b/roles/forgejo/templates/config.yaml.j2
deleted file mode 100644
index b0aac31..0000000
--- a/roles/forgejo/templates/config.yaml.j2
+++ /dev/null
@@ -1,63 +0,0 @@
-# TODO remove what’s not needed and properly configure the rest
-
-log:
-  level: debug
-
-runner:
-  file: .runner
-  env_file: .env
-  insecure: false
-  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
-  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `deamon`, will use labels in `.runner` file.
-  labels: []
-
-#cache:
-#  # The host of the cache server.
-#  # It's not for the address to listen, but the address to connect from job containers.
-#  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
-#  host: ""
-#  # The port of the cache server.
-#  # 0 means to use a random available port.
-#  port: 0
-#  # The external cache server URL. Valid only when enable is true.
-#  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
-#  # The URL should generally end with "/".
-#  external_server: ""
-
-container:
-  # Specifies the network to which the container will connect.
-  # Could be host, bridge or the name of a custom network.
-  # If it's empty, create a network automatically.
-  network: "host"
-  # Whether to create networks with IPv6 enabled. Requires the Docker daemon to be set up accordingly.
-  # Only takes effect if "network" is set to "".
-  enable_ipv6: true
-  # And other options to be used when the container is started (eg, --add-host=my.forgejo.url:host-gateway).
-  options:
-  # The parent directory of a job's working directory.
-  # If it's empty, /workspace will be used.
-  workdir_parent:
-  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
-  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
-  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
-  # valid_volumes:
-  #   - data
-  #   - /src/*.json
-  # If you want to allow any volume, please use the following configuration:
-  # valid_volumes:
-  #   - '**'
-  valid_volumes: []
-  # overrides the docker client host with the specified one.
-  # If it's empty, act_runner will find an available docker host automatically.
-  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
-  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
-  docker_host: "unix:///tmp/podman-run-{{ user_info.uid }}/podman/podman.sock"
-  # Pull docker image(s) even if already present
-  force_pull: false
-
-host:
-  # The parent directory of a job's working directory.
-  # If it's empty, $HOME/.cache/act/ will be used.
-  workdir_parent:
diff --git a/setup.yml b/setup.yml
index af9a50c..f5457c3 100644
--- a/setup.yml
+++ b/setup.yml
@@ -51,6 +51,12 @@
   roles:
     - forgejo
 
+- hosts: git-runner
+  roles:
+    - forgejo-runner
+  vars:
+    git_host: git
+
 - hosts: kanboard
   roles:
     - kanboard