{
  pkgs,
  config,
  # sources,
  ...
}:
let
  sources = import ../../../npins;
in

{
  _class = "nixos";

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;

    instances.default = {
      enable = true;

      name = config.networking.fqdn;
      url = "https://git.fediversity.eu";
      tokenFile = config.age.secrets.forgejo-runner-token.path;

      settings = {
        log.level = "info";
        runner = {
          file = ".runner";
          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
          capacity = 1;
          timeout = "3h";
          insecure = false;
          fetch_timeout = "5s";
          fetch_interval = "2s";
        };
      };

      ## This runner supports Docker (with a default Ubuntu image) and native
      ## modes. In native mode, it contains a few default packages.
      labels = [
        "docker:docker://node:16-bullseye"
        "native:host"
      ];

      hostPackages = with pkgs; [
        bash
        git
        nix
        nodejs
      ];
    };
  };

  ## For the Docker mode of the runner.
  virtualisation.docker.enable = true;
  virtualisation.oci-containers.containers."buildResult" =
    let
      name = "nix-runner";
      tag = "latest";
      base = import (sources.nix + "/docker.nix") {
        inherit pkgs;
        name = "nix-ci-base";
        maxLayers = 10;
        extraPkgs = with pkgs; [
          nodejs_20 # nodejs is needed for running most 3rdparty actions
          # add any other pre-installed packages here
        ];
        # change this is you want
        channelURL = "https://nixos.org/channels/nixpkgs-23.05";
        nixConf = {
          substituters = [
            "https://cache.nixos.org/"
            "https://nix-community.cachix.org"
            # insert any other binary caches here
          ];
          trusted-public-keys = [
            "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
            # insert the public keys for those binary caches here
          ];
          # allow using the new flake commands in our workflows
          experimental-features = [
            "nix-command"
            "flakes"
          ];
        };
      };
    in
    {
      devices = [ "/dev/kvm:/dev/kvm" ];
      image = "${name}:${tag}";
      # https://icewind.nl/entry/gitea-actions-nix/
      imageFile = pkgs.dockerTools.buildImage {
        inherit name tag;
        fromImage = base;
        fromImageName = null;
        fromImageTag = "latest";
        copyToRoot = pkgs.buildEnv {
          name = "image-root";
          paths = [ pkgs.coreutils-full ];
          pathsToLink = [ "/bin" ]; # add coreutils (which includes sleep) to /bin
        };
      };
    };
}