diff --git a/dot_config/flake/machines/kaylee/configuration.nix b/dot_config/flake/machines/kaylee/configuration.nix
index 6865eef..9db5b3b 100644
--- a/dot_config/flake/machines/kaylee/configuration.nix
+++ b/dot_config/flake/machines/kaylee/configuration.nix
@@ -4,10 +4,14 @@
   lib,
   pkgs,
   ...
-}: {
+}: let
+  secrets = builtins.fromTOML (builtins.readFile ./secrets.toml);
+in {
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
+
+    ../../modules/nixos/docker.nix
   ];
 
   nixpkgs = {
@@ -31,6 +35,47 @@
     nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
   };
 
+  # forgejo
+  virtualisation.oci-containers = {
+    backend = "docker";
+    containers = {
+      baszel = {
+        image = "henrygd/beszel-agent:latest";
+        autoStart = true;
+        environment = {
+          PORT = "45876";
+          KEY = secrets.baszel_key;
+          HUB_URL = "http://10.0.0.2:8090";
+          TOKEN = secrets.baszel_token;
+        };
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock"
+        ];
+      };
+      forgejo-runner = {
+        # serviceName = "forgejo-runner";
+        autoStart = true;
+        privileged = true;
+        cmd = ["forgejo-runner" "--config" "/data/config.yml" "daemon"];
+        user = "1000:131";
+        networks = ["forgejo"];
+        image = "data.forgejo.org/forgejo/runner:11";
+        environment = {
+          DOCKER_HOST = "unix:///var/run/docker.sock";
+        };
+        ports = [
+          "8080:8080"
+        ];
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock"
+          "/home/tyler/.config/forgejo:/data"
+          "/home/tyler/.local/cache/forgejo:/cache"
+          "/home/tyler/.local/share/forgejo:/workspace"
+        ];
+      };
+    };
+  };
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
@@ -44,12 +89,16 @@
 
   networking.hostName = "kaylee";
   services.dnsmasq.enable = true;
+  services.avahi = {
+    enable = true;
+    nssmdns4 = true;
+  };
 
   services.xserver.xkb.layout = "us";
 
   users.users.tyler = {
     isNormalUser = true;
-    extraGroups = ["wheel"]; # Enable ‘sudo’ for the user.
+    extraGroups = ["wheel" "docker"]; # Enable ‘sudo’ for the user.
     shell = pkgs.fish;
   };
 
@@ -60,6 +109,9 @@
     restic
     git
     chezmoi
+    git
+    curl
+    unzip
   ];
 
   programs.fish.enable = true;
diff --git a/dot_config/flake/machines/kaylee/encrypted_secrets.toml.age b/dot_config/flake/machines/kaylee/encrypted_secrets.toml.age
new file mode 100644
index 0000000..7bab19a
--- /dev/null
+++ b/dot_config/flake/machines/kaylee/encrypted_secrets.toml.age
@@ -0,0 +1,10 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5b1VYZG8xeFFFQVJUeVdo
+UldiWXZvdHlkNmdKTmhYaG5tNWdtNW42ZTJRClA1dDlySFhUMWtjejFva3hPRWNO
+dzdaQmNDb0tBd3JXdGFPeElCcDFPLzAKLS0tIGhRSFBMb214R096azVyWElEbE5i
+dnNRRW15QzYzKzZteGV5c3ZLQXFkQ2sKlOj5HYEUqcMGMWh3zkgmvIssFg1+8CIS
+HrFnwb79/ynhs96j0EKdhaQpNW/El5ZCk4ndQePuK55TYsjxusZA0c3Lxsc6yCUa
+9/oO0zHquoVHQbMfpV9ML8k4uT44Vg+3dLBxJJuGs3cVW4uYn2fynUPCy1inTKp0
+OHFAAksOJqpq73P6RQYx9tsbUCsfMAeChjUzP3jr2Qen44nCpIASUcnyYdId6RTY
+4ENI+pNlS0t4
+-----END AGE ENCRYPTED FILE-----
diff --git a/dot_config/flake/machines/kaylee/hardware-configuration.nix b/dot_config/flake/machines/kaylee/hardware-configuration.nix
new file mode 100644
index 0000000..7f73064
--- /dev/null
+++ b/dot_config/flake/machines/kaylee/hardware-configuration.nix
@@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/093a88f0-7ec2-4672-b7bb-bb7f62df99ca";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/161E-9FB2";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/b150b63b-c446-4134-a444-e789318b9546"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}