diff --git a/ansible/playbooks/indri.yml b/ansible/playbooks/indri.yml
index 6e962f1..4366eb0 100644
--- a/ansible/playbooks/indri.yml
+++ b/ansible/playbooks/indri.yml
@@ -61,6 +61,23 @@
       no_log: true
       tags: [forgejo]
 
+    # Forgejo runner token (for indri-based runner)
+    - name: Fetch forgejo runner token
+      ansible.builtin.command:
+        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields runner-token --reveal
+      delegate_to: localhost
+      register: _forgejo_runner_token
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [forgejo_runner]
+
+    - name: Set forgejo runner token fact
+      ansible.builtin.set_fact:
+        forgejo_runner_token: "{{ _forgejo_runner_token.stdout }}"
+      no_log: true
+      tags: [forgejo_runner]
+
   roles:
     - role: alloy
       tags: alloy
@@ -82,3 +99,5 @@
       tags: plex_metrics
     - role: tailscale_serve
       tags: tailscale-serve
+    - role: forgejo_runner
+      tags: forgejo_runner
diff --git a/ansible/roles/forgejo_runner/defaults/main.yml b/ansible/roles/forgejo_runner/defaults/main.yml
new file mode 100644
index 0000000..643f3a2
--- /dev/null
+++ b/ansible/roles/forgejo_runner/defaults/main.yml
@@ -0,0 +1,19 @@
+---
+forgejo_runner_repo_dir: /Users/erichblume/code/3rd/forgejo-runner
+forgejo_runner_binary: "{{ forgejo_runner_repo_dir }}/forgejo-runner"
+forgejo_runner_data_dir: /Users/erichblume/.forgejo-runner
+forgejo_runner_config_dir: /Users/erichblume/.config/forgejo-runner
+forgejo_runner_log_dir: /Users/erichblume/Library/Logs
+
+# Runner registration
+forgejo_runner_instance_url: "http://localhost:3001"
+forgejo_runner_name: "indri-docker-runner"
+forgejo_runner_labels: "docker-builder:docker"
+
+# Runner config
+forgejo_runner_capacity: 2
+forgejo_runner_timeout: 3h
+
+# Docker container settings for jobs
+forgejo_runner_docker_network: bridge
+forgejo_runner_privileged: true  # Needed for container builds
diff --git a/ansible/roles/forgejo_runner/handlers/main.yml b/ansible/roles/forgejo_runner/handlers/main.yml
new file mode 100644
index 0000000..9cad7d1
--- /dev/null
+++ b/ansible/roles/forgejo_runner/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Restart forgejo-runner
+  block:
+    - name: Unload forgejo-runner LaunchAgent
+      ansible.builtin.command: launchctl unload ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
+      failed_when: false
+      changed_when: true
+
+    - name: Load forgejo-runner LaunchAgent
+      ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
+      changed_when: true
diff --git a/ansible/roles/forgejo_runner/tasks/main.yml b/ansible/roles/forgejo_runner/tasks/main.yml
new file mode 100644
index 0000000..d7106c1
--- /dev/null
+++ b/ansible/roles/forgejo_runner/tasks/main.yml
@@ -0,0 +1,83 @@
+---
+# Forgejo Runner on indri
+#
+# Uses Docker container mode for job isolation.
+# Can build containers using Docker (via socket).
+#
+# ONE-TIME SETUP (before running ansible):
+#
+# 1. Clone forgejo-runner from forge mirror:
+#    ssh indri 'git clone https://forge.tail8d86e.ts.net/eblume/forgejo-runner.git ~/code/3rd/forgejo-runner'
+#
+# 2. Set up Go via mise:
+#    ssh indri 'cd ~/code/3rd/forgejo-runner && mise use go@1.24'
+#
+# 3. Build:
+#    ssh indri 'cd ~/code/3rd/forgejo-runner && mise x -- make build'
+#
+# 4. Run ansible to deploy config and LaunchAgent
+
+- name: Verify forgejo-runner binary exists
+  ansible.builtin.stat:
+    path: "{{ forgejo_runner_binary }}"
+  register: forgejo_runner_binary_stat
+
+- name: Fail if forgejo-runner binary not found
+  ansible.builtin.fail:
+    msg: |
+      Forgejo-runner binary not found at {{ forgejo_runner_binary }}.
+      Please build from source first:
+        ssh indri 'cd ~/code/3rd/forgejo-runner && mise x -- make build'
+  when: not forgejo_runner_binary_stat.stat.exists
+
+- name: Ensure forgejo-runner directories exist
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "{{ forgejo_runner_data_dir }}"
+    - "{{ forgejo_runner_config_dir }}"
+
+- name: Deploy forgejo-runner config
+  ansible.builtin.template:
+    src: config.yaml.j2
+    dest: "{{ forgejo_runner_config_dir }}/config.yaml"
+    mode: '0644'
+  notify: Restart forgejo-runner
+
+- name: Check if runner is registered
+  ansible.builtin.stat:
+    path: "{{ forgejo_runner_data_dir }}/.runner"
+  register: forgejo_runner_registered
+
+- name: Register runner with Forgejo
+  ansible.builtin.command:
+    cmd: >
+      {{ forgejo_runner_binary }} register
+      --instance "{{ forgejo_runner_instance_url }}"
+      --token "{{ forgejo_runner_token }}"
+      --name "{{ forgejo_runner_name }}"
+      --labels "{{ forgejo_runner_labels }}"
+      --no-interactive
+    chdir: "{{ forgejo_runner_data_dir }}"
+  when: not forgejo_runner_registered.stat.exists
+  changed_when: true
+
+- name: Deploy forgejo-runner LaunchAgent plist
+  ansible.builtin.template:
+    src: forgejo-runner.plist.j2
+    dest: ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
+    mode: '0644'
+  notify: Restart forgejo-runner
+
+- name: Check if forgejo-runner LaunchAgent is loaded
+  ansible.builtin.command: launchctl list mcquack.eblume.forgejo-runner
+  register: forgejo_runner_launchctl_check
+  changed_when: false
+  failed_when: false
+
+- name: Load forgejo-runner LaunchAgent if not loaded
+  ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
+  when: forgejo_runner_launchctl_check.rc != 0
+  changed_when: true
diff --git a/ansible/roles/forgejo_runner/templates/config.yaml.j2 b/ansible/roles/forgejo_runner/templates/config.yaml.j2
new file mode 100644
index 0000000..7de5cc0
--- /dev/null
+++ b/ansible/roles/forgejo_runner/templates/config.yaml.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+log:
+  level: info
+
+runner:
+  file: {{ forgejo_runner_data_dir }}/.runner
+  capacity: {{ forgejo_runner_capacity }}
+  timeout: {{ forgejo_runner_timeout }}
+
+container:
+  network: "{{ forgejo_runner_docker_network }}"
+  privileged: {{ forgejo_runner_privileged | lower }}
+  # Mount Docker socket so jobs can build containers
+  valid_volumes:
+    - /var/run/docker.sock
diff --git a/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2 b/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2
new file mode 100644
index 0000000..4bac25f
--- /dev/null
+++ b/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- {{ ansible_managed }} -->
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>mcquack.eblume.forgejo-runner</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>{{ forgejo_runner_binary }}</string>
+		<string>daemon</string>
+		<string>--config</string>
+		<string>{{ forgejo_runner_config_dir }}/config.yaml</string>
+	</array>
+	<key>WorkingDirectory</key>
+	<string>{{ forgejo_runner_data_dir }}</string>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+	<key>StandardOutPath</key>
+	<string>{{ forgejo_runner_log_dir }}/mcquack.forgejo-runner.out.log</string>
+	<key>StandardErrorPath</key>
+	<string>{{ forgejo_runner_log_dir }}/mcquack.forgejo-runner.err.log</string>
+</dict>
+</plist>