{
  lib,
  config,
  ...
}:
let
  cfg = config.my.servers.gitea;
in
{
  config = lib.mkIf (cfg.enable && config.my.secureHost) {
    services.gitea-actions-runner.instances.docker = {
      inherit (cfg) url enable;
      name = "${config.networking.hostName}-docker";
      tokenFile = config.sops.secrets.gitea.path;
      labels = [
        "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:full-latest"
        "ubuntu-24.04:docker://ghcr.io/catthehacker/ubuntu:full-24.04"
        "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:full-22.04"
        "ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:full-20.04"
      ];
    };
  };
}