{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.servers.gitea;
in
{
  config = lib.mkIf (cfg.enable && config.my.secureHost) {
    users.groups.gitea-runner = { };
    users.users.gitea-runner = {
      isSystemUser = true;
      group = "gitea-runner";
      extraGroups = [
        "docker"
        "podman"
      ];
    };
    nix.settings = {
      allowed-users = [ "gitea-runner" ];
      trusted-users = [ "gitea-runner" ];
    };
    services.gitea-actions-runner.instances.nixos = {
      inherit (cfg) url enable;
      name = "${config.networking.hostName}-nixos";
      tokenFile = config.sops.secrets.gitea.path;
      labels = [
        "nix:host"
        "nixos:host"
      ];
      hostPackages = builtins.attrValues {
        inherit (pkgs)
          bash
          curl
          coreutils
          gitMinimal
          attic-client
          podman
          podman-compose
          nix
          nodejs
          openssh
          python3
          ;
      };
    };
  };
}