diff --git a/agenix/hosts/tanker/forgejo-actions/token.age b/agenix/hosts/tanker/forgejo-actions/token.age
index ceb7f47..b24c96c 100644
--- a/agenix/hosts/tanker/forgejo-actions/token.age
+++ b/agenix/hosts/tanker/forgejo-actions/token.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 MtGp6g j3LJbMvC+F+WI80vay1mUtT4AU/iPrVlJspYtDwL5WI
-JllJKpMrJtNEF2Wjlt+FQZjt0HYg1jcM5Z23Nyr0JDQ
--> ssh-ed25519 iO8/4g M2tItsaOdbUwDrIR6CniYnQtmdgLBL31D/xdYI27DR4
-hdQhMFbQ88Qd0b9/yUqSCp0jmWBVTamHRHxvfzMKQd0
--> a88u-grease %<;6}T6g dP%)[l 5M?k?Ff
-66xUudBfSs81QpoQPElEtQ9W5IUdTpeO613+2nVdnOVb
---- +iZj/5A8YtvHw9xzvg95+S7aYwRvA87KYF8fsZyuORk
-ÿ§Zh§è#ÊÖÆ&BÕÓ÷îÈKe¡Z`×òŠýD$;TH,ß¡Àì³ÏÿÓL´×%à•ŒƒÈX©Høh$8‚€Ù³„)ÊŒ÷HàX<qã
\ No newline at end of file
+-> ssh-ed25519 MtGp6g jM+++wGqvWlj9wKwKdrS3d8xpwfLp1ks4GCh3sm/6zM
+QkBPJf0lBF617AFcko4KA/Aq6mi6eMWp/ye2Abf2fKk
+-> ssh-ed25519 iO8/4g IGCdvdMB6PdiqxA9yamSUMCfH4Bk0JmtOuZt4WZrFGM
+cz19imzpQAkWv+iCoUzBfMRC5D0yusCMQkROrjBhoJ0
+-> PT|e-grease cJG6UW4o
+4G+Rp2jt1sZbGLxuKl7DgX1wl1kaOhhEjkloCeaHg0lt6P7bmjcg++jh6hWs7MhO
+dMp8SKY9
+--- VdFRpEBs74LJOqJNYwiGeb/wy/e7Wm+aFQnw3AI1pFw
+r‹åkòBúx–µvŠ™aob""éh&éÅîb{ñÌH´òã,’×q¢·Ã RSm½¤ûÃTûo	¾hB•gdµ÷?GÒ¼n0©î
\ No newline at end of file
diff --git a/system/hosts/tanker.nix b/system/hosts/tanker.nix
index 2bd0811..7881f4f 100644
--- a/system/hosts/tanker.nix
+++ b/system/hosts/tanker.nix
@@ -109,10 +109,6 @@ in
     hostName = "tanker";
     hostId = "d89f488a";
     useNetworkd = true;
-
-    extraHosts = ''
-      127.0.0.1 attic.cache.daniel.sx
-    '';
   };
 
   systemd = {
diff --git a/system/nixos/forgejo.nix b/system/nixos/forgejo.nix
index 0e4f66a..9424c1c 100644
--- a/system/nixos/forgejo.nix
+++ b/system/nixos/forgejo.nix
@@ -42,10 +42,6 @@ in
           SAME_SITE = "strict";
         };
 
-        repository = {
-          DISABLE_HTTP_GIT = true;
-        };
-
         actions = {
           ENABLED = true;
         };
@@ -68,8 +64,7 @@ in
           tokenFile = config.age.secrets.forgejo-actions-token.path;
 
           labels = [
-            "debian-bullseye:docker://node:18-bullseye"
-            "debian-bookworm:docker://node:18-bookworm"
+            "ubuntu-latest-amd64:docker://ghcr.io/catthehacker/ubuntu:act-latest"
           ];
         };
       };
diff --git a/system/nixos/nginx-argon.nix b/system/nixos/nginx-argon.nix
index e5c12ea..73c67e6 100644
--- a/system/nixos/nginx-argon.nix
+++ b/system/nixos/nginx-argon.nix
@@ -1,3 +1,5 @@
+{ lib, config, ... }:
+
 {
   services.nginx.virtualHosts."default.internal.kempkens.network" = {
     listen = [
@@ -34,4 +36,20 @@
       return = "418";
     };
   };
+
+  networking.firewall.interfaces =
+    let
+      interfaces = lib.mapAttrsToList (_: lib.attrsets.attrByPath [ "matchConfig" "Name" ] null) config.systemd.network.networks ++ [ "tailscale0" ];
+    in
+    builtins.listToAttrs
+      (builtins.map
+        (iface:
+          {
+            name = iface;
+            value = {
+              allowedTCPPorts = [ 80 443 ];
+              allowedUDPPorts = [ 443 ];
+            };
+          })
+        (builtins.filter builtins.isString interfaces));
 }
diff --git a/system/nixos/nginx-mediaserver.nix b/system/nixos/nginx-mediaserver.nix
index e5c12ea..73c67e6 100644
--- a/system/nixos/nginx-mediaserver.nix
+++ b/system/nixos/nginx-mediaserver.nix
@@ -1,3 +1,5 @@
+{ lib, config, ... }:
+
 {
   services.nginx.virtualHosts."default.internal.kempkens.network" = {
     listen = [
@@ -34,4 +36,20 @@
       return = "418";
     };
   };
+
+  networking.firewall.interfaces =
+    let
+      interfaces = lib.mapAttrsToList (_: lib.attrsets.attrByPath [ "matchConfig" "Name" ] null) config.systemd.network.networks ++ [ "tailscale0" ];
+    in
+    builtins.listToAttrs
+      (builtins.map
+        (iface:
+          {
+            name = iface;
+            value = {
+              allowedTCPPorts = [ 80 443 ];
+              allowedUDPPorts = [ 443 ];
+            };
+          })
+        (builtins.filter builtins.isString interfaces));
 }
diff --git a/system/nixos/nginx-tanker.nix b/system/nixos/nginx-tanker.nix
index 84ef5dc..8291087 100644
--- a/system/nixos/nginx-tanker.nix
+++ b/system/nixos/nginx-tanker.nix
@@ -1,3 +1,5 @@
+{ lib, config, ... }:
+
 {
   services.nginx.virtualHosts."default.kempkens.io" = {
     listen = [
@@ -34,4 +36,20 @@
       return = "418";
     };
   };
+
+  networking.firewall.interfaces =
+    let
+      interfaces = lib.mapAttrsToList (_: lib.attrsets.attrByPath [ "matchConfig" "Name" ] null) config.systemd.network.networks ++ [ "tailscale0" ];
+    in
+    builtins.listToAttrs
+      (builtins.map
+        (iface:
+          {
+            name = iface;
+            value = {
+              allowedTCPPorts = [ 80 443 ];
+              allowedUDPPorts = [ 443 ];
+            };
+          })
+        (builtins.filter builtins.isString interfaces));
 }
diff --git a/system/nixos/nginx.nix b/system/nixos/nginx.nix
index a458de0..feee724 100644
--- a/system/nixos/nginx.nix
+++ b/system/nixos/nginx.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, ... }:
 
 {
   services.nginx = {
@@ -25,20 +25,4 @@
       access_log /var/log/nginx/access.log combined_anon buffer=32k flush=5m;
     '';
   };
-
-  networking.firewall.interfaces =
-    let
-      interfaces = lib.mapAttrsToList (_: lib.attrsets.attrByPath [ "matchConfig" "Name" ] null) config.systemd.network.networks ++ [ "tailscale0" ];
-    in
-    builtins.listToAttrs
-      (builtins.map
-        (iface:
-          {
-            name = iface;
-            value = {
-              allowedTCPPorts = [ 80 443 ];
-              allowedUDPPorts = [ 443 ];
-            };
-          })
-        (builtins.filter builtins.isString interfaces));
 }