diff --git a/ITD/Firewall_Rules.csv b/ITD/Firewall_Rules.csv
index 1563996..c955339 100644
--- a/ITD/Firewall_Rules.csv
+++ b/ITD/Firewall_Rules.csv
@@ -43,4 +43,5 @@ SKYNET_FIREWALL_00031,Add,i24-06-04_017,Complete,All,-,193.1.99.83,SKYNET00020,"
 SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Had incorrectly opened 8080 on the main panel
 SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server
 ,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'
-SKYNET_FIREWALL_00034,Add,i25-01-26_075,Complete,All,-,193.1.99.91,SKYNET00017,-,23318-23325,Ports for Minecraft Bedrock on the main games server.
\ No newline at end of file
+SKYNET_FIREWALL_00034,Add,i25-01-26_075,Complete,All,-,193.1.99.91,SKYNET00017,-,23318-23325,Ports for Minecraft Bedrock on the main games server.
+SKYNET_FIREWALL_00035,Add,i25-02-14_114,Complete,193.1.99.75,SKYNET00008,193.1.96.165,SKYNET00012,22,-,Allow our forgejo runner to access and deploy to teh external server
\ No newline at end of file
diff --git a/ITD/Server_Inventory.csv b/ITD/Server_Inventory.csv
index dfbc30d..d9a63f5 100644
--- a/ITD/Server_Inventory.csv
+++ b/ITD/Server_Inventory.csv
@@ -14,11 +14,14 @@ SKYNET00012,skynet,Active,193.1.96.165,Nixos-24.05,Skynet server. (DMZ)
 SKYNET00013,neuromancer,Active,193.1.99.080,Nixos-24.05,Local Backup Server
 SKYNET00014,cadie,Active,193.1.99.077,Nixos-24.05,"Services VM, has nextcloud to start with"
 SKYNET00015,marvin,Active,193.1.99.081,Nixos-24.05,Trainee testing server
-SKYNET00016,optimus,Active,193.1.99.090,Debian-12,Games server manager (replacing SKYNET00006 soon)
-SKYNET00017,bumblebee,Active,193.1.99.091,Debian-12,Game server - Minecraft
+SKYNET00016,optimus,Retired,193.1.99.090,Debian-12,Games server manager (replacing SKYNET00006 soon)
+SKYNET00017,bumblebee,Retired,193.1.99.091,Debian-12,Game server - Minecraft
 SKYNET00018,calculon,Active,193.1.99.082,Nixos-24.05,"Public Services such as binary cache, Open Governance and Keyserver"
 SKYNET00019,deepthought,Active,193.1.99.112,Nixos-24.05,Backup Test Server using restic
 SKYNET00020,ariia,Active,193.1.99.083,Nixos-24.05,"Metrics, Grafana and Prometheus"
 SKYNET00021,ash,Active,193.1.99.114,NA,Server Room Network access
 SKYNET00022,ultron,Active,193.1.99.084,Proxmox,VM Host
-SKYNET00023,optimus-test,Active,193.1.99.085,Nixos,Testing flake for Pelecian
\ No newline at end of file
+SKYNET00023,optimus-test,Retired,193.1.99.085,Nixos,Testing flake for Pelecian
+SKYNET00024,optimus,Active,193.1.99.090,Nixos,Games server manager (replaced SKYNET00016)
+SKYNET00025,bumblebee,Active,193.1.99.091,Nixos,Game server - Minecraft (replaced SKYNET00017)
+SKYNET00027,vision,Active,193.1.99.085,Raspbian,Proxmox Qurom server
\ No newline at end of file
diff --git a/applications/git/forgejo_runner.nix b/applications/git/forgejo_runner.nix
index 29029cb..c43ecec 100644
--- a/applications/git/forgejo_runner.nix
+++ b/applications/git/forgejo_runner.nix
@@ -15,21 +15,23 @@ in {
   options.services.skynet."${name}" = {
     enable = mkEnableOption "Skynet ForgeJo Runner";
 
-    runner = {
-      name = mkOption {
-        type = types.str;
-        default = config.networking.hostName;
-      };
+    name = mkOption {
+      type = types.str;
+      default = config.networking.hostName;
+    };
 
-      website = mkOption {
-        default = "https://forgejo.skynet.ie";
-        type = types.str;
-      };
+    website = mkOption {
+      default = "https://forgejo.skynet.ie";
+      type = types.str;
+    };
 
-      user = mkOption {
-        default = "gitea-runner";
-        type = types.str;
-      };
+    user = mkOption {
+      default = "gitea-runner";
+      type = types.str;
+    };
+
+    secret = mkOption {
+      type = types.path;
     };
   };
 
@@ -40,23 +42,23 @@ in {
     ];
 
     age.secrets.forgejo_runner_token = {
-      file = ../../secrets/forgejo/runners/token.age;
-      owner = cfg.runner.user;
-      group = cfg.runner.user;
+      file = cfg.secret;
+      owner = cfg.user;
+      group = cfg.user;
     };
 
     # make sure the ssh config stuff is in teh right palce
     systemd.tmpfiles.rules = [
-      #"d  /home/${cfg.runner.user}             0755 ${cfg.runner.user} ${cfg.runner.user}"
-      "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user}  -   ${./ssh_config}"
+      #"d  /home/${cfg.user}             0755 ${cfg.user} ${cfg.user}"
+      "L+ /home/${cfg.user}/.ssh/config 0755 ${cfg.user} ${cfg.user}  -   ${./ssh_config}"
     ];
     age.secrets.forgejo_runner_ssh = {
       file = ../../secrets/forgejo/runners/ssh.age;
       mode = "600";
-      owner = "${cfg.runner.user}";
-      group = "${cfg.runner.user}";
+      owner = "${cfg.user}";
+      group = "${cfg.user}";
       symlink = false;
-      path = "/home/${cfg.runner.user}/.ssh/skynet/root";
+      path = "/home/${cfg.user}/.ssh/skynet/root";
     };
 
     nix = {
@@ -94,14 +96,14 @@ in {
     # give teh runner user a home to store teh ssh config stuff
     systemd.services.gitea-runner-default.serviceConfig = {
       DynamicUser = lib.mkForce false;
-      User = lib.mkForce cfg.runner.user;
+      User = lib.mkForce cfg.user;
     };
     users = {
-      groups."${cfg.runner.user}" = {};
-      users."${cfg.runner.user}" = {
+      groups."${cfg.user}" = {};
+      users."${cfg.user}" = {
         #isSystemUser = true;
         isNormalUser = true;
-        group = cfg.runner.user;
+        group = cfg.user;
         createHome = true;
         shell = pkgs.bash;
       };
@@ -118,8 +120,8 @@ in {
       package = pkgs.forgejo-actions-runner;
       instances.default = {
         enable = true;
-        name = cfg.runner.name;
-        url = cfg.runner.website;
+        name = cfg.name;
+        url = cfg.website;
         tokenFile = config.age.secrets.forgejo_runner_token.path;
         labels = [
           ## optionally provide native execution on the host:
diff --git a/machines/glados.nix b/machines/glados.nix
index 842da0c..5e499d8 100644
--- a/machines/glados.nix
+++ b/machines/glados.nix
@@ -28,6 +28,7 @@ in {
   imports = [
     ../applications/git/gitlab.nix
     ../applications/git/forgejo.nix
+    ../applications/git/forgejo_runner.nix
   ];
 
   deployment = {
@@ -43,5 +44,9 @@ in {
     backup.enable = true;
     gitlab.enable = true;
     forgejo.enable = true;
+    forgejo_runner = {
+      enable = true;
+      secret = ../secrets/forgejo/runners/token2.age;
+    };
   };
 }
diff --git a/machines/wheatly.nix b/machines/wheatly.nix
index f38000b..cb9cdb6 100644
--- a/machines/wheatly.nix
+++ b/machines/wheatly.nix
@@ -39,6 +39,9 @@ in {
   services.skynet = {
     host = host;
     backup.enable = true;
-    forgejo_runner.enable = true;
+    forgejo_runner = {
+      enable = true;
+      secret = ../secrets/forgejo/runners/token1.age;
+    };
   };
 }
diff --git a/secrets/forgejo/runners/ssh.age b/secrets/forgejo/runners/ssh.age
index 7a716d1..ffda5eb 100644
Binary files a/secrets/forgejo/runners/ssh.age and b/secrets/forgejo/runners/ssh.age differ
diff --git a/secrets/forgejo/runners/token.age b/secrets/forgejo/runners/token.age
deleted file mode 100644
index 2bdb872..0000000
--- a/secrets/forgejo/runners/token.age
+++ /dev/null
@@ -1,19 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 V1pwNA kZ6MC1GXuminn2Hlomkep1wIv1lp6KpJOJcpXkhQWWM
-K1B58FSyb4QpINlhuvVv4dGFNjTChU1KNoezZcS/a6Y
--> ssh-ed25519 4PzZog pbxwzRvcsOgY9hd48BZEOH6VHFLn93gJ8yDHQyNIiSI
-Fa/Z6si9vyox/pmPvWTndyYCQxo7tcvdlRuTgw6IY9g
--> ssh-ed25519 dA0vRg OW2y/LkN/287NVuRRlSpihR+k/MZ+a0R5cIrHFne6RI
-U0ZqipfDlpz9LeXKNWkl7tYCnsBjSQz8q4mETBVEalI
--> ssh-ed25519 5Nd93w jDy3i1Z1NWYqdVdw4h+maaBjokVWNrSfHtSQotb2bWg
-PtgX9L78wpJHiX4lmP+H0bfRZd/tNfHrUEAShJ38ss8
--> ssh-ed25519 q8eJgg BCaUEZ3H3BglgKPAbl/ITQaEv9Jc2rRAoFuPXhy4WFI
-DMqJu0vjDJ8rIXLSL17Dx4Aoq8Uhdo4jU8g1jTSvMK4
--> ssh-ed25519 KVr8rw dKk0SN9SXTQsPwMFiKKMuoRwzTHJB8kr33nadRzBoDc
-m2xPKYFMC/y5fKkgaBc+5TVg9ZH+zVSM9I4I3htSm7I
--> ssh-ed25519 fia1eQ NGl1o/38iTm6QiQB7pl0NBkohMZGLMeaXZ37TV184B4
-zk/DTLhuGfhDU3gNA7S0BjGOowteEhR9v5oNmOkWTGU
--> ssh-ed25519 CqOTGQ JbZYKqGfWeVu/JEAAeC6wE4QvKLEeidvggQnm6beJxA
-ArogOkTDAnvC1SKPkSGapNix2W6yvku1QFOFs9bvuGA
---- yWZoUAOfSIL4FbWSAvhVkOEbUA1u3XPGKB1gNka/xfo
-Á¡þzòõ´lÐþÈ‘ L‚´C$’ì?Hc´®ìì|¥çÛ¹„.-øýÜå¡jõ	©lÂ}9:KÓ®U…Á^§í¯Ì“ôŽIO6µ
\ No newline at end of file
diff --git a/secrets/forgejo/runners/token1.age b/secrets/forgejo/runners/token1.age
new file mode 100644
index 0000000..50ad61e
Binary files /dev/null and b/secrets/forgejo/runners/token1.age differ
diff --git a/secrets/forgejo/runners/token2.age b/secrets/forgejo/runners/token2.age
new file mode 100644
index 0000000..3c1c894
--- /dev/null
+++ b/secrets/forgejo/runners/token2.age
@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA DmSENr+7db9t/epcMdOAjr2qt4rSHWopkuS3/xyz+xY
+ClfO4iYTReIp6jvUBqQutkXx4XRJ++u8EsspNdDZ8kw
+-> ssh-ed25519 4PzZog QzQ5iPiSSruoDS+PDNI+/6PnIYEnnFTvnrxK4W2ZK3Y
+iTETtsauc6clML06hoMr7kinsOirURTECfB/PzJaFT4
+-> ssh-ed25519 dA0vRg UCPTgYh2/8JTajlTIgvk64eKNNMHe4ZxIDILxIGAL18
+Qj0ZS/iNwusCONf9Rh05ftd4cHSmWz7bLZ8HHtQewMo
+-> ssh-ed25519 5Nd93w D/87p469o+CW9TOqQb4C+3a9+xRvZ4bzk7vr0wXhdRk
+E/uvMfpOPvWosWS4s18f+xmexQcpJ0NED1N35pL5IjI
+-> ssh-ed25519 q8eJgg pSW+R1LjAdCTL/ys1X93jSSC+ga1phB8iYqAJ1Ic0yw
+IFl+195woVbHjz23w3mxBPkjtbfke3C+jYacWWKOpio
+-> ssh-ed25519 KVr8rw KfPs+1IA7M7dYqkUW9vty+xl/8loMZDgVFee/ZR+F0M
+mTK9yjQR18aKfw/xEdfsnGXPKxqDi1bKPj2mLtB2Xg4
+-> ssh-ed25519 fia1eQ M7nASBk9cGmZmMHf115JAazAEx3tS+sIVB49KlXltWc
+YJ48iqVSJQooltbXvw+olKC4ZZt9a92TR2uQ0xROAPY
+-> ssh-ed25519 CqOTGQ CeIqatgAbFS8oNy3fOOJdIkLM0X9AwV2zbpQHcOcICM
+qAHOkFsbM5fTxcpLFz9Iz16MVBA1oVqlxUADrLxDRrA
+-> ssh-ed25519 uZzB3g eA/GpdA5UKoleGcq9BHwj59Hz86YX7oF3LoG6zZ1ogE
+sIs5D3s72gVGglG37S0eDLUTEzuy2U9Nbi03aOJ3W4c
+--- rkCxZNLeKI9HMNZnwiFRaL1AsIUYtXYJT/YyJ1UMRqc
+!VpÒ-p®|ô†ùÞÞ_toüÎáUÈkÝïútÓ`˜@¼ÞxzWÚº³•GüîF÷=Ë]i»YÌ;YOiéÌ}¤J™÷/Ö,
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ca7480f..cad986a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -77,6 +77,7 @@ let
 
   gitlab_runners = [
     wheatly
+    glados
   ];
 
   grafana = [
@@ -117,7 +118,8 @@ in {
   "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
   "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
 
-  "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
+  "forgejo/runners/token1.age".publicKeys = users ++ gitlab_runners;
+  "forgejo/runners/token2.age".publicKeys = users ++ gitlab_runners;
   "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
 
   # for ldap
@@ -130,7 +132,7 @@ in {
   "backup/restic_pw.age".publicKeys = users ++ restic;
 
   # discord bot and discord
-  "discord/token.age".publicKeys = users ++ discord;
+  "discord/token1.age".publicKeys = users ++ discord;
 
   # email stuff
   "email/details.age".publicKeys = users ++ ldap ++ discord;