{
  lib,
  pkgs,
  config,
  ...
}:
let
  sources = import ../../../npins;
  user = "gitea-runner";
  hm_strings = import "${sources.home-manager}/modules/lib/strings.nix" { inherit lib; };
in

{
  _class = "nixos";

  imports = with sources; [
    "${home-manager}/nixos"
    "${vars}/options.nix"
    "${vars}/backends/on-machine.nix"
  ];

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;

    instances.default = {
      enable = true;

      name = config.networking.fqdn;
      url = "https://git.fediversity.eu";
      tokenFile = config.age.secrets.forgejo-runner-token.path;

      settings = {
        log.level = "info";
        runner = {
          file = ".runner";
          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
          capacity = 1;
          timeout = "3h";
          insecure = false;
          fetch_timeout = "5s";
          fetch_interval = "2s";
        };
      };

      ## This runner supports Docker (with a default Ubuntu image) and native
      ## modes. In native mode, it contains a few default packages.
      labels = [
        "docker:docker://node:16-bullseye"
        "native:host"
      ];

      hostPackages = with pkgs; [
        bash
        git
        nix
        nodejs
      ];
    };
  };

  ## For the Docker mode of the runner.
  virtualisation.docker.enable = true;

  vars.settings.on-machine.enable = true;
  vars.generators."attic" = {
    runtimeInputs = [ pkgs.coreutils ];
    files."token".secret = true;
    script = ''
      cp "${config.age.secrets.attic-ci-token.path}" "$out/${"token"}"
    '';
  };
  vars.generators."templates" = rec {
    dependencies = [ "attic" ];
    runtimeInputs = [
      pkgs.coreutils
      pkgs.gnused
    ];
    script = lib.concatStringsSep "\n" (
      lib.mapAttrsToList (template: _: ''
        cp "$templates/${template}" "$out/${template}"
        echo "filling placeholders in template ${template}..."
        sed -i "s/${config.vars.generators."attic".files."token".placeholder}/$(cat "${
          config.vars.generators."attic".files."token".path
        }")/g" "$out/${template}"
      '') files
    );

    files."attic.toml" = {
      secret = true;
      owner = user;
      template = pkgs.writeText "attic.toml" ''
        default-server = "fediversity"

        [servers.fediversity]
        endpoint = "http://localhost:8080"
        token = "${config.vars.generators.attic.files.token.placeholder}"
      '';
    };
  };

  # needed to place a config file with home-manager
  users.users.${user}.isNormalUser = true;

  home-manager = {
    users.${user}.home = {
      stateVersion = "25.05";
      file.".config/attic/config.toml".source =
        let
          pathStr = config.vars.generators."templates".files."attic.toml".path;
          name = hm_strings.storeFileName (baseNameOf pathStr);
        in
        pkgs.runCommandLocal name { } ''ln -s ${lib.escapeShellArg pathStr} $out'';
    };
  };
}