{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.servers.gitea;
in
{
  config = lib.mkIf (cfg.enable && config.my.secureHost) {
    services.gitea-actions-runner.instances.nixos = {
      inherit (cfg) url enable;
      name = "${config.networking.hostName}-nixos";
      tokenFile = config.sops.secrets.gitea.path;
      labels = [
        "nixos:host"
      ];
      hostPackages = builtins.attrValues {
        inherit (pkgs)
          bash
          coreutils
          gitMinimal
          nix
          attic-client
          nodejs # Required for GitHub Actions
          openssh # Required for SSH git operations
          ;
      };
    };
  };
}