diff --git a/hosts/tesla-nixos/configuration.nix b/hosts/tesla-nixos/configuration.nix
index 00e1738..4af10ff 100644
--- a/hosts/tesla-nixos/configuration.nix
+++ b/hosts/tesla-nixos/configuration.nix
@@ -134,33 +134,33 @@
       # GitLab Runner
       services.gitlab-runner = {
         enable = true;
-        # service runs as this user so jobs share the same rootless Podman context
         user = "gitlab-runner";
 
-        concurrent = 4;
-        runners = [
-          {
-            name = "ci-nspawn-rootless-podman";
-            url  = "https://gitlab.com/";     # your GitLab URL
-            tokenFile = "/var/lib/gitlab-runner/registration-token"; # create this once
-            executor = "docker";              # GitLab's Docker executor (backed by Podman)
+        services = {
+          ci-nspawn-rootless-podman = {
+            # Prefer auth tokens (GitLab 18 deprecates registration tokens)
+            # Put CI_SERVER_URL and CI_SERVER_TOKEN into this file (ENV format).
+            authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";
+            # …or, if you still use a registration token:
+            # registrationConfigFile = "/var/lib/gitlab-runner/registration.env";
+
+            executor = "docker";          # use Docker executor against Podman
             dockerImage = "alpine:3";
-            dockerPrivileged = true;          # often needed for DinD-like jobs; set false if you can
-            # Point the Docker executor at the *user* Podman socket:
-            environment = [
-              # IMPORTANT: set to the gitlab-runner user's runtime dir
-              # You can find UID with: id -u gitlab-runner (in container)
-              "DOCKER_HOST=unix:///run/user/$(id -u gitlab-runner)/podman/podman.sock"
-            ];
-            # Optional volumes for caching, etc.
+            dockerPrivileged = true;      # tighten later if you can
             dockerVolumes = [
               "/var/lib/gitlab-runner/cache:/cache"
             ];
-            # Helpful default pull behavior
-            dockerPullPolicy = "if-not-present";
-          }
-        ];
-      };
+
+            # If your nixpkgs exposes it (most do), point Docker executor at Podman:
+            dockerHost = "unix:///run/user/$(id -u gitlab-runner)/podman/podman.sock";
+            # If that option isn’t available in your channel, instead supply a full
+            # config.toml via `services.gitlab-runner.configFile` where you set:
+            #   [runners.docker]
+            #   host = "unix:///run/user/UID/podman/podman.sock"
+          }; # end services.ci-nspawn-rootless-podman
+        }; # end services.gitlab-runner
+      }; # end containers.ci.config
+
 
       # Make sure systemd + cgroups are fully available inside the container
       systemd.oomd.enable = false; # avoids noise in small containers