diff --git a/hosts/fw/modules/gitea-runner-image-README.md b/hosts/fw/modules/gitea-runner-image-README.md
new file mode 100644
index 0000000..dfa1677
--- /dev/null
+++ b/hosts/fw/modules/gitea-runner-image-README.md
@@ -0,0 +1,44 @@
+# Gitea Runner Docker Image
+
+This directory contains the Dockerfile for the custom Gitea Actions runner image that includes additional dependencies needed for CI workflows.
+
+## Included Tools
+
+- **Base**: `shivammathur/node:latest` (includes Node.js and common development tools)
+- **Chrome dependencies**: Full Puppeteer/Chromium dependencies for headless browser testing
+- **webp**: WebP image format tools (`cwebp`, `dwebp`)
+- **libavif-bin**: AVIF image format tools (`avifenc`, `avifdec`)
+
+## Building the Image
+
+```bash
+cd hosts/fw/modules
+docker build -f gitea-runner.Dockerfile -t git.cloonar.com/infrastructure/gitea-runner:latest .
+```
+
+## Pushing to Registry
+
+First, authenticate with your Gitea container registry:
+
+```bash
+docker login git.cloonar.com
+```
+
+Then push the image:
+
+```bash
+docker push git.cloonar.com/infrastructure/gitea-runner:latest
+```
+
+## Using the Image
+
+The image is already configured in `gitea-vm.nix` and will be used automatically by the Gitea Actions runners for jobs labeled with `ubuntu-latest`.
+
+## Updating the Image
+
+When you need to add new dependencies:
+
+1. Edit `gitea-runner.Dockerfile`
+2. Rebuild the image with the commands above
+3. Push to the registry
+4. Restart the runner VMs: `systemctl restart microvm@git-runner-1.service microvm@git-runner-2.service`
diff --git a/hosts/fw/modules/gitea-runner.Dockerfile b/hosts/fw/modules/gitea-runner.Dockerfile
new file mode 100644
index 0000000..6712e3a
--- /dev/null
+++ b/hosts/fw/modules/gitea-runner.Dockerfile
@@ -0,0 +1,47 @@
+FROM shivammathur/node:latest
+
+# Install Chrome dependencies for Puppeteer
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    fonts-liberation \
+    libappindicator3-1 \
+    libasound2t64 \
+    libatk-bridge2.0-0 \
+    libatk1.0-0 \
+    libc6 \
+    libcairo2 \
+    libcups2 \
+    libdbus-1-3 \
+    libexpat1 \
+    libfontconfig1 \
+    libgbm1 \
+    libgcc-s1 \
+    libglib2.0-0 \
+    libgtk-3-0 \
+    libnspr4 \
+    libnss3 \
+    libpango-1.0-0 \
+    libpangocairo-1.0-0 \
+    libstdc++6 \
+    libx11-6 \
+    libx11-xcb1 \
+    libxcb1 \
+    libxcomposite1 \
+    libxcursor1 \
+    libxdamage1 \
+    libxext6 \
+    libxfixes3 \
+    libxi6 \
+    libxrandr2 \
+    libxrender1 \
+    libxss1 \
+    libxtst6 \
+    lsb-release \
+    wget \
+    xdg-utils \
+    webp \
+    libavif-bin \
+    && rm -rf /var/lib/apt/lists/*
+
+# Verify installations
+RUN cwebp -version && avifenc --version
diff --git a/hosts/fw/modules/gitea-vm.nix b/hosts/fw/modules/gitea-vm.nix
index d202cd4..33155cb 100644
--- a/hosts/fw/modules/gitea-vm.nix
+++ b/hosts/fw/modules/gitea-vm.nix
@@ -55,7 +55,8 @@ in {
         name = runner;
         tokenFile = "/run/secrets/gitea-runner-token";
         labels = [
-          "ubuntu-latest:docker://shivammathur/node:latest"
+          # "ubuntu-latest:docker://shivammathur/node:latest"
+          "ubuntu-latest:docker://git.cloonar.com/infrastructure/gitea-runner:latest"
         ];
         settings = {
           container = {
diff --git a/hosts/fw/modules/gitea.nix b/hosts/fw/modules/gitea.nix
index 3e2daef..e74c0ce 100644
--- a/hosts/fw/modules/gitea.nix
+++ b/hosts/fw/modules/gitea.nix
@@ -70,6 +70,9 @@ in
         sslCertificateKey = "/var/lib/acme/gitea/key.pem";
         sslTrustedCertificate = "/var/lib/acme/gitea/chain.pem";
         forceSSL = true;
+        extraConfig = ''
+          client_max_body_size 2048M;
+        '';
         locations."/" = {
           proxyPass = "http://localhost:3001/";
         };
@@ -109,6 +112,12 @@ in
             USER           = "gitea@cloonar.com";
           };
           actions.ENABLED=true;
+          attachment = {
+            MAX_SIZE = 2048;  # 2GB in MB for general attachments
+          };
+          packages = {
+            ENABLED = true;
+          };
         };
       };
 
diff --git a/hosts/nb/users/dominik.nix b/hosts/nb/users/dominik.nix
index adf061a..7682b75 100644
--- a/hosts/nb/users/dominik.nix
+++ b/hosts/nb/users/dominik.nix
@@ -655,7 +655,7 @@ in
         };
         "tools.epicenter.works" = {
           user = "root";
-          identityFile = "~/.ssh/epicenter.id_rsa";
+          identityFile = "~/.ssh/epicenter_id_ed25519";
         };
         "*.epicenter.works !tools.epicenter.works" = {
           user = "dominik";
diff --git a/hosts/web-arm/sites/cloonar.com.nix b/hosts/web-arm/sites/cloonar.com.nix
index 66cf45d..06de94b 100644
--- a/hosts/web-arm/sites/cloonar.com.nix
+++ b/hosts/web-arm/sites/cloonar.com.nix
@@ -62,7 +62,7 @@ in {
     #home = "/home/${domain}";
     group  = "nginx";
     openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE="
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKKJEgyfKyz5sf5GT0HYXiDmf36fnLe/exbXbRpsNJi"
     ];
   };
   users.groups.${domain} = {};
diff --git a/hosts/web-arm/sites/cloonar.dev.nix b/hosts/web-arm/sites/cloonar.dev.nix
index 5873645..5f1520a 100644
--- a/hosts/web-arm/sites/cloonar.dev.nix
+++ b/hosts/web-arm/sites/cloonar.dev.nix
@@ -14,20 +14,42 @@ in {
     '';
 
     locations."~* \.(jpe?g|png)$".extraConfig = ''
-      set $red Z;
+      set $img_format Z;
+
+      # Check for AVIF support (highest priority)
+      if ($http_accept ~* "avif") {
+          set $img_format A;
+      }
+
+      if (-f $document_root/avif/$request_uri.avif) {
+          set $img_format "''${img_format}V";
+      }
+
+      # Serve AVIF if supported and available
+      if ($img_format = "AV") {
+          add_header Vary Accept;
+          rewrite ^ /avif/$request_uri.avif break;
+      }
+
+      # Reset and check for WebP support (fallback)
+      set $img_format Z;
 
       if ($http_accept ~* "webp") {
-          set $red A;
+          set $img_format W;
       }
 
       if (-f $document_root/webp/$request_uri.webp) {
-          set $red "''${red}B";
+          set $img_format "''${img_format}P";
       }
 
-      if ($red = "AB") {
+      # Serve WebP if supported and available
+      if ($img_format = "WP") {
           add_header Vary Accept;
-          rewrite ^ /webp/$request_uri.webp;
+          rewrite ^ /webp/$request_uri.webp break;
       }
+
+      # If neither AVIF nor WebP matched, serve original format
+      add_header Vary Accept;
     '';
 
     locations."^~ /vcards/".extraConfig = ''
@@ -40,7 +62,7 @@ in {
         try_files $uri $uri/ /vcards/index.php$is_args$args;
     '';
 
-    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+    locations."~* \.(js|jpg|gif|png|webp|avif|css|woff2)$".extraConfig = ''
       expires 365d;
       add_header Pragma "public";
       add_header Cache-Control "public";