{
  lib,
  flake,
  config,
  pkgs,
  ...
}:

let
  inherit (flake) inputs;
  inherit (inputs) self;
in
{
  imports = [
    self.nixosModules.default
  ];

  nix.settings = {
    allowed-users = [
      "root"
      "@wheel"
      "@builders"
      "gitea-runner"
    ];
    trusted-users = [
      "root"
      "gitea-runner"
    ];
  };
  sops.secrets.forgejo-runners-token = {
    # owner = "gitea-runner";
    # group = "gitea-runner";
    mode = "0777";
  };
  sops.secrets.forgejo-nix-key = { };
  nix.settings = {
    secret-key-files = config.sops.secrets.forgejo-nix-key.path;
  };
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances = {
      native = {
        enable = true;
        url = "https://git.skdevstudios.com";
        name = "nix";
        labels = [
          "native:host"
          "nix"
        ];
        tokenFile = config.sops.secrets.forgejo-runners-token.path;
        hostPackages = with pkgs; [
          openssh
          nix
          opentofu
          nodejs
          git
          bash
          coreutils
          curl
        ];
      };
    };
  };
  networking = {
    hostName = "forgejo-runner-tofu";
  };
  environment.systemPackages = with pkgs; [
    cowsay
  ];
  system.stateVersion = "25.05";
}