diff --git a/nix/modules/gitea-runner.nix b/nix/modules/gitea-runner.nix
index 8baab51..d13cc6f 100644
--- a/nix/modules/gitea-runner.nix
+++ b/nix/modules/gitea-runner.nix
@@ -65,7 +65,9 @@
       "/data/runner"
       "/home/github/infrastructure"
     ];
-    
+    BindReadOnlyPaths = [
+      "/nix/store"
+    ];
     # Disable all sandboxing features
     DynamicUser = lib.mkForce false;
     PrivateDevices = lib.mkForce false;