diff --git a/hosts/muffin/default.nix b/hosts/muffin/default.nix
index 298c281..90953e4 100644
--- a/hosts/muffin/default.nix
+++ b/hosts/muffin/default.nix
@@ -226,14 +226,6 @@
 
   users.groups.${service_configs.media_group} = { };
 
-  users.users.gitea-runner = {
-    isSystemUser = true;
-    group = "gitea-runner";
-    home = "/var/lib/gitea-runner";
-    description = "Gitea Actions CI runner";
-  };
-  users.groups.gitea-runner = { };
-
   users.users.${username} = {
     isNormalUser = true;
     extraGroups = [
diff --git a/services/gitea/actions-runner.nix b/services/gitea/actions-runner.nix
index e650d23..6dbe1c6 100644
--- a/services/gitea/actions-runner.nix
+++ b/services/gitea/actions-runner.nix
@@ -34,6 +34,14 @@
     };
   };
 
+  users.users.gitea-runner = {
+    isSystemUser = true;
+    group = "gitea-runner";
+    home = "/var/lib/gitea-runner";
+    description = "Gitea Actions CI runner";
+  };
+  users.groups.gitea-runner = { };
+
   # Override DynamicUser to use our static gitea-runner user, and ensure
   # the runner doesn't start before the co-located gitea instance is ready
   # (upstream can't assume locality, so this dependency is ours to add).