diff --git a/.forgejo/workflows/nix-build.yaml b/.forgejo/workflows/nix-build.yaml
deleted file mode 100644
index 7925a20..0000000
--- a/.forgejo/workflows/nix-build.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-on: [push]
-jobs:
-  check:
-    runs-on: nixos-host
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-        
-    # cache not needed since we now run on the host directly
-    # - name: Load cached nix store
-    #   id: cache-nix-store
-    #   uses: actions/cache/restore@v4
-    #   with:
-    #     path: /nix/store
-    #     key: ${{ runner.os }}-nix-store
-
-    - name: Build server
-      run: |
-        nix shell nixpkgs#nixos-rebuild -c nixos-rebuild build --flake .#beefcake --accept-flake-config
-
-    - name: Build router
-      run: |
-        nix shell nixpkgs#nixos-rebuild -c nixos-rebuild build --flake .#router --accept-flake-config
-
-    - name: Build desktop
-      run: |
-        nix shell nixpkgs#nixos-rebuild -c nixos-rebuild build --flake .#dragon --accept-flake-config
-
-    - name: Build laptop
-      run: |
-        nix shell nixpkgs#nixos-rebuild -c nixos-rebuild build --flake .#foxtrot --accept-flake-config
-
-    - name: Build default devShell
-      run: |
-        nix develop . --build 
-
-    # - name: Save nix store
-    #   uses: actions/cache/save@v4
-    #   with:
-    #     path: /nix/store
-    #     key: ${{ steps.cache-nix-store.outputs.cache-primary-key }}
diff --git a/.forgejo/workflows/nix-flake-check.yaml b/.forgejo/workflows/nix-flake-check.yaml
deleted file mode 100644
index 021d09d..0000000
--- a/.forgejo/workflows/nix-flake-check.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-on: [push]
-jobs:
-  check:
-    runs-on: nixos-host
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-        
-    # cache not needed since we now run on the host directly
-    # - name: Load cached nix store
-    #   id: cache-nix-store
-    #   uses: actions/cache/restore@v4
-    #   with:
-    #     path: /nix/store
-    #     key: ${{ runner.os }}-nix-store
-
-    - name: Check nix flake
-      run: |
-        nix flake check
-
-    # - name: Save nix store
-    #   uses: actions/cache/save@v4
-    #   with:
-    #     path: /nix/store
-    #     key: ${{ steps.cache-nix-store.outputs.cache-primary-key }}
diff --git a/.forgejo/workflows/pre-merge.yaml b/.forgejo/workflows/pre-merge.yaml
new file mode 100644
index 0000000..622b07a
--- /dev/null
+++ b/.forgejo/workflows/pre-merge.yaml
@@ -0,0 +1,33 @@
+on: [push]
+jobs:
+  build-host:
+    runs-on: nix-2.24.12
+    strategy:
+      matrix:
+        info:
+          - host: beefcake
+          - host: router
+          - host: dragon
+          - host: foxtrot
+          - host: flipflop
+    steps:
+    - uses: actions/checkout@v4
+    - name: Build host
+      run: |
+        nix shell nixpkgs#nixos-rebuild -c nixos-rebuild build --flake .#${{ matrix.info.host }} --accept-flake-config
+
+  build-devshell:
+    runs-on: nix-2.24.12
+    steps:
+    - uses: actions/checkout@v4
+    - name: Build default devShell
+      run: |
+        nix develop . --build --accept-flake-config
+
+  flake-check:
+    runs-on: nix-2.24.12
+    steps:
+    - uses: actions/checkout@v4
+    - name: Check nix flake
+      run: |
+        nix flake check --accept-flake-config
diff --git a/lib/modules/nixos/podman.nix b/lib/modules/nixos/podman.nix
index 3780867..92105b9 100644
--- a/lib/modules/nixos/podman.nix
+++ b/lib/modules/nixos/podman.nix
@@ -5,7 +5,11 @@
   ...
 }:
 {
-  config = lib.mkIf config.virtualisation.podman.enable {
+  options = {
+    podman.enable = lib.mkEnableOption "Enable podman and associated general NixOS defaults";
+  };
+
+  config = lib.mkIf config.podman.enable {
     environment = {
       systemPackages = with pkgs; [
         podman-tui
@@ -15,7 +19,7 @@
 
     virtualisation = {
       podman = {
-        # enable = true;
+        enable = true;
         dockerCompat = true;
         dockerSocket.enable = true;
         defaultNetwork.settings.dns_enabled = true;
diff --git a/packages/forgejo-actions-container.nix b/packages/forgejo-actions-container.nix
index d23254b..849edb8 100644
--- a/packages/forgejo-actions-container.nix
+++ b/packages/forgejo-actions-container.nix
@@ -1,23 +1,40 @@
 {
+  git,
+  findutils,
+  coreutils,
   nodejs_23,
   nix,
+  gnugrep,
+  gawk,
+  bash,
+  jq,
   dockerTools,
+  cacert,
 }:
 let
   pname = "forgejo-actions-container";
+  version = "3";
 in
 # bootstrap this into the forgejo server with
 # $ podman login ${FORGEJO_ENDPOINT:-git.lyte.dev}
 # $ podman image load -i (nix build .#forgejo-actions-container --print-out-paths)
-# $ podman image push git.lyte.dev/lytedev/nix:forgejo-actions-container-$NIX_VERSION
+# $ podman push git.lyte.dev/lytedev/nix:forgejo-actions-container-v$IMAGE_VERSION-nix-v$NIX_VERSION
 dockerTools.buildLayeredImage {
   name = "git.lyte.dev/lytedev/nix";
-  tag = "${pname}-${nix.version}";
+  tag = "${pname}-v${version}-nix-v${nix.version}";
   config = {
     Cmd = [ "/bin/nix" ];
   };
   contents = [
     nix
+    gnugrep
+    gawk
+    bash
+    jq
+    findutils
     nodejs_23
+    coreutils
+    cacert
+    git
   ];
 }
diff --git a/packages/hosts/beefcake.nix b/packages/hosts/beefcake.nix
index 8a0a5c1..868908c 100644
--- a/packages/hosts/beefcake.nix
+++ b/packages/hosts/beefcake.nix
@@ -108,7 +108,7 @@
     };
   };
 
-  virtualisation.podman.enable = true;
+  podman.enable = true;
 
   services.deno-netlify-ddns-client = {
     enable = true;
@@ -132,6 +132,51 @@
     lyte.shell.enable = true;
   };
 
+  /*
+    TODO: non-root processes and services that access secrets need to be part of
+    the 'keys' group
+
+    systemd.services.some-service = {
+      serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];
+    };
+    or
+    users.users.example-user.extraGroups = [ config.users.groups.keys.name ];
+
+    TODO: declarative directory quotas? for storage/$USER and /home/$USER
+  */
+
+  /*
+    # https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72
+    services.lidarr = {
+      enable = true;
+      dataDir = "/storage/lidarr";
+    };
+
+    services.radarr = {
+      enable = true;
+      dataDir = "/storage/radarr";
+    };
+
+    services.sonarr = {
+      enable = true;
+      dataDir = "/storage/sonarr";
+    };
+
+    services.bazarr = {
+      enable = true;
+      listenPort = 6767;
+    };
+
+    networking.firewall.allowedTCPPorts = [9876 9877];
+    networking.firewall.allowedUDPPorts = [9876 9877];
+    networking.firewall.allowedUDPPortRanges = [
+      {
+        from = 27000;
+        to = 27100;
+      }
+    ];
+  */
+
   imports = [
     hardware.common-cpu-intel
     {
@@ -1060,16 +1105,17 @@
               container = {
                 # use the shared network which is bridged by default
                 # this lets us hit git.lyte.dev just fine
-                network = "podman";
+                # network = "podman";
+                network = "host";
               };
             };
             labels = [
               # type ":host" does not depend on docker/podman/lxc
-              "podman"
-              "nix-2.24.12:docker://git.lyte.dev/lytedev/nix:forgejo-actions-container-2.24.12"
-              "nix-latest:docker://git.lyte.dev/lytedev/nix:forgejo-actions-container-latest"
               # "beefcake:host"
               # "nixos-host:host"
+              # "podman"
+              "nix-2.24.12:docker://git.lyte.dev/lytedev/nix:forgejo-actions-container-v3-nix-v2.24.12"
+              "nix-latest:docker://git.lyte.dev/lytedev/nix:forgejo-actions-container-latest"
             ];
             tokenFile = config.sops.secrets."forgejo-runner.env".path;
             hostPackages = with pkgs; [
@@ -2164,49 +2210,4 @@
       }
     )
   ];
-
-  /*
-    TODO: non-root processes and services that access secrets need to be part of
-    the 'keys' group
-
-    systemd.services.some-service = {
-      serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];
-    };
-    or
-    users.users.example-user.extraGroups = [ config.users.groups.keys.name ];
-
-    TODO: declarative directory quotas? for storage/$USER and /home/$USER
-  */
-
-  /*
-    # https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72
-    services.lidarr = {
-      enable = true;
-      dataDir = "/storage/lidarr";
-    };
-
-    services.radarr = {
-      enable = true;
-      dataDir = "/storage/radarr";
-    };
-
-    services.sonarr = {
-      enable = true;
-      dataDir = "/storage/sonarr";
-    };
-
-    services.bazarr = {
-      enable = true;
-      listenPort = 6767;
-    };
-
-    networking.firewall.allowedTCPPorts = [9876 9877];
-    networking.firewall.allowedUDPPorts = [9876 9877];
-    networking.firewall.allowedUDPPortRanges = [
-      {
-        from = 27000;
-        to = 27100;
-      }
-    ];
-  */
 }
diff --git a/packages/hosts/dragon.nix b/packages/hosts/dragon.nix
index a1f66a6..f2067ae 100644
--- a/packages/hosts/dragon.nix
+++ b/packages/hosts/dragon.nix
@@ -50,7 +50,7 @@
   services.postgresql.enable = true;
   programs.steam.enable = true;
   lyte.desktop.enable = true;
-  virtualisation.podman.enable = true;
+  podman.enable = true;
 
   home-manager.users.daniel = {
     lyte = {
diff --git a/readme.md b/readme.md
index f841335..1a741fa 100644
--- a/readme.md
+++ b/readme.md
@@ -5,8 +5,7 @@
 Nix for <code>lytedev</code>
 </h1>
 
-[![flake check status](https://git.lyte.dev/lytedev/nix/badges/workflows/nix-flake-check.yaml/badge.svg)](https://git.lyte.dev/lytedev/nix/actions?workflow=nix-flake-check.yaml)
-[![build status](https://git.lyte.dev/lytedev/nix/badges/workflows/nix-build.yaml/badge.svg)](https://git.lyte.dev/lytedev/nix/actions?workflow=nix-build.yaml)
+[![pre-merge status](https://git.lyte.dev/lytedev/nix/badges/workflows/pre-merge.yaml/badge.svg)](https://git.lyte.dev/lytedev/nix/actions?workflow=pre-merge.yaml)
 
 </div>