diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 9ab8d3e5..491097a8 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -39,6 +39,8 @@ jobs:
       - name: Run unit and component tests
         run: npm test
         working-directory: frontend
+        env:
+          TZ: Europe/Berlin
 
       - name: Build frontend
         run: npm run build
@@ -78,6 +80,8 @@ jobs:
     runs-on: ubuntu-latest
     env:
       DOCKER_API_VERSION: "1.43"  # NAS runner runs Docker 24.x (max API 1.43); Testcontainers 2.x defaults to 1.44
+      DOCKER_HOST: unix:///var/run/docker.sock
+      TESTCONTAINERS_RYUK_DISABLED: "true"
     steps:
       - uses: actions/checkout@v4
 
diff --git a/runner-config.yaml b/runner-config.yaml
new file mode 100644
index 00000000..66bb616c
--- /dev/null
+++ b/runner-config.yaml
@@ -0,0 +1,16 @@
+# runner-config.yaml — only the relevant section
+container:
+  # passed as DOCKER_HOST inside the job container
+  docker_host: "unix:///var/run/docker.sock"
+  # whitelists the socket path so workflows can mount it
+  valid_volumes:
+    - "/var/run/docker.sock"
+  # appended to `docker run` when the runner spawns a job container
+  # SECURITY: Mounting the Docker socket grants job containers root-equivalent
+  # access to the host Docker daemon. Acceptable here because only trusted code
+  # from this private repo runs on this runner. Do NOT use on a runner that
+  # accepts untrusted PRs from external contributors.
+  options: "-v /var/run/docker.sock:/var/run/docker.sock"
+  # keep network mode default (bridge) — Testcontainers handles its own networking
+  force_pull: false
+