diff --git a/shaka-lab-github-runner/README.md b/shaka-lab-github-runner/README.md
index d49585b..0afb112 100644
--- a/shaka-lab-github-runner/README.md
+++ b/shaka-lab-github-runner/README.md
@@ -55,12 +55,15 @@ echo deb https://shaka-project.github.io/shaka-lab/ stable main | \
 sudo apt update
 
 # Configure your GitHub details before installation to avoid prompting.
+# Note that support_nested_containers is incompatible with number_of_runners
+# greater than 1.
 cat << EOF | sudo debconf-set-selections
 shaka-lab-github-runner shaka-lab-github-runner/scope select SCOPE
 shaka-lab-github-runner shaka-lab-github-runner/scope_name string SCOPE_NAME
 shaka-lab-github-runner shaka-lab-github-runner/access_token password ACCESS_TOKEN
 shaka-lab-github-runner shaka-lab-github-runner/labels string LABELS
 shaka-lab-github-runner shaka-lab-github-runner/number_of_runners string NUMBER
+shaka-lab-github-runner shaka-lab-github-runner/support_nested_containers boolean TRUE_OR_FALSE
 EOF
 
 # Install the package, which will not have to prompt for anything thanks to
@@ -119,12 +122,6 @@ them in text files inside `/etc/shaka-lab-github-runner.args.d/`.
 To add Docker command line arguments that apply to specific runner instances,
 add them in text files inside `/etc/shaka-lab-github-runner@$INSTANCE.args.d/`.
 
-To support nested containers, put this in
-`/etc/shaka-lab-github-runner.args.d/docker-nested`:
-
-```
--v /var/run/docker.sock:/var/run/docker.sock
-```
 
 ## Updates
 
diff --git a/shaka-lab-github-runner/linux/debian/shaka-lab-github-runner.postinst b/shaka-lab-github-runner/linux/debian/shaka-lab-github-runner.postinst
index 45cd031..15ebdd7 100755
--- a/shaka-lab-github-runner/linux/debian/shaka-lab-github-runner.postinst
+++ b/shaka-lab-github-runner/linux/debian/shaka-lab-github-runner.postinst
@@ -74,6 +74,7 @@ db_go
 db_input high shaka-lab-github-runner/access_token || true
 db_input high shaka-lab-github-runner/labels || true
 db_input high shaka-lab-github-runner/number_of_runners || true
+db_input high shaka-lab-github-runner/support_nested_containers || true
 db_go
 
 # Now we should have all necessary configuration.
@@ -87,6 +88,8 @@ db_get shaka-lab-github-runner/labels
 LABELS="$RET"
 db_get shaka-lab-github-runner/number_of_runners
 NUMBER_OF_RUNNERS="$RET"
+db_get shaka-lab-github-runner/support_nested_containers
+SUPPORT_NESTED_CONTAINERS="$RET"
 
 
 ### INSTALLATION ###
diff --git a/shaka-lab-github-runner/linux/debian/templates b/shaka-lab-github-runner/linux/debian/templates
index 837b894..e19da38 100644
--- a/shaka-lab-github-runner/linux/debian/templates
+++ b/shaka-lab-github-runner/linux/debian/templates
@@ -35,3 +35,9 @@ Template: shaka-lab-github-runner/number_of_runners
 Type: string
 Description: Number of runner instances
  The number of runner instances to launch in parallel.
+
+Template: shaka-lab-github-runner/support_nested_containers
+Type: boolean
+Description: Support nested containers?
+ If true, support nested containers.  Incompatible with multiple runner
+ instances on the same host.
diff --git a/shaka-lab-github-runner/linux/start-runner.sh b/shaka-lab-github-runner/linux/start-runner.sh
index 341258a..6e85515 100755
--- a/shaka-lab-github-runner/linux/start-runner.sh
+++ b/shaka-lab-github-runner/linux/start-runner.sh
@@ -86,43 +86,59 @@ if dpkg -s shaka-lab-cert-generator &>/dev/null || \
   extra_docker_args+=(--mount type=bind,src=/etc/letsencrypt,dst=/etc/letsencrypt,ro)
 fi
 
-# To support nested containers in self-hosted workflows, certain folders
-# expected by GitHub Actions must be consistently mapped from the outer host to
-# the first container.  To keep workflows ephemeral, we also wipe these before
-# every run.
+# This matches what GitHub runner expects, and is the necessary value for
+# nested container support.
 RUNNER_WORKDIR=/home/runner/work
-MAPPED_FOLDERS=(
-  $RUNNER_WORKDIR
-  /opt/hostedtoolcache
-)
-for i in "${MAPPED_FOLDERS[@]}"; do
-  rm -rf "$i"
-  mkdir -p "$i"
-  extra_docker_args+=(--mount type=bind,src="$i",dst="$i")
-done
-
-# This folder already exists inside the container image, but we want to keep our
-# own copy of it at the host level.  This will allow it to be correctly mapped
-# to nested containers, and modified if necessary.
-EXTERNALS=/actions-runner/externals
-rm -rf "$EXTERNALS"
-mkdir -p "$EXTERNALS"
 
-# Create a temporary docker container to extract these files.
+# Make sure we have the required Docker image/tag, and the latest version of it.
 docker pull "$DOCKER_IMAGE"
-docker container create --name "$CONTAINER_NAME" "$DOCKER_IMAGE"
-
-# Copy "$EXTERNALS" itself from the container into the local parent of the same.
-# This is because "docker cp" doesn't do wildcards, so you can't copy "e/* e/".
-docker cp "$CONTAINER_NAME":"$EXTERNALS" "$EXTERNALS"/..
 
-# Clean up the temporary container.
-docker container rm "$CONTAINER_NAME"
-
-# Create a special mount for this folder.
-extra_docker_args+=(--mount type=bind,src="$EXTERNALS",dst="$EXTERNALS",ro)
+# Extract the value of shaka-lab-github-runner/support_nested_containers from
+# debian package configuration.
+SUPPORT_NESTED_CONTAINERS=$(debconf-get-selections 2>/dev/null | grep shaka-lab-github-runner/support_nested_containers | awk '{print $4}')
+
+# Add extra arguments necessary for nested containers, if requested.
+if [[ "$SUPPORT_NESTED_CONTAINERS" == "true" ]]; then
+  # To support nested containers in self-hosted workflows, certain folders
+  # expected by GitHub Actions must be consistently mapped from the outer host
+  # to the first container.  To keep workflows ephemeral, we also wipe these
+  # before every run.
+  MAPPED_FOLDERS=(
+    $RUNNER_WORKDIR
+    /opt/hostedtoolcache
+  )
+  for i in "${MAPPED_FOLDERS[@]}"; do
+    rm -rf "$i"
+    mkdir -p "$i"
+    extra_docker_args+=(--mount type=bind,src="$i",dst="$i")
+  done
+
+  # This folder already exists inside the container image, but we want to keep
+  # our own copy of it at the host level.  This will allow it to be correctly
+  # mapped to nested containers, and modified if necessary.
+  EXTERNALS=/actions-runner/externals
+  rm -rf "$EXTERNALS"
+  mkdir -p "$EXTERNALS"
+
+  # Create a temporary docker container to extract these files.
+  docker container create --name "$CONTAINER_NAME" "$DOCKER_IMAGE"
+
+  # Copy "$EXTERNALS" itself from the container into the local parent of the
+  # same.  This is because "docker cp" doesn't do wildcards, so you can't copy
+  # "e/* e/".
+  docker cp "$CONTAINER_NAME":"$EXTERNALS" "$EXTERNALS"/..
+
+  # Clean up the temporary container.
+  docker container rm "$CONTAINER_NAME"
+
+  # Create a special mount for this folder.
+  extra_docker_args+=(--mount type=bind,src="$EXTERNALS",dst="$EXTERNALS",ro)
+
+  # Create a special bind for the docker socket.
+  extra_docker_args+=(-v /var/run/docker.sock:/var/run/docker.sock)
+fi
 
-# Start a docker container.
+# Start the docker container.
 #   --rm: Remove the container when it shuts down.
 #   --name: The name of the container.
 #   --network host: Use the host directly for networking, rather than NAT.