{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.servers.gitea;
in
{
  config = lib.mkIf (cfg.enable && config.my.secureHost) {
    users.groups.gitea-runner = { };
    users.users.gitea-runner = {
      isSystemUser = true;
      group = "gitea-runner";
      extraGroups = [
        "docker"
        "podman"
      ];
    };
    nix.settings = {
      allowed-users = [ "gitea-runner" ];
      trusted-users = [ "gitea-runner" ];
    };
    services.gitea-actions-runner.instances.webref = {
      inherit (cfg) url enable;
      name = "${config.networking.hostName}-nixos";
      tokenFile = config.sops.secrets.gitea.path;
      labels = [
        "nix:native"
        "ubuntu-latest:docker://node:20-bookworm"
        "webref:native"
      ];
      hostPackages = builtins.attrValues {
        inherit (pkgs)
          bash
          coreutils
          curl
          git
          nix
          nodejs
          python3
          postgresql
          docker
          docker-compose
          ;
      };
    };
  };
}