{
  lib,
  flake,
  modulesPath,
  config,
  pkgs,
  ...
}:

let
  inherit (flake) inputs;
  inherit (inputs) self;
in
{
  imports = [
    self.nixosModules.default
    "${modulesPath}/virtualisation/lxc-container.nix"
  ];

  nix.settings = {
    allowed-users = [
      "root"
      "@wheel"
      "@builders"
      "gitea-runner"
    ];
    trusted-users = [
      "root"
      "gitea-runner"
    ];
  };
  sops.secrets.forgejo-runners-token = {
    owner = "gitea-runner";
    group = "gitea-runner";
    mode = "0777";
  };
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances = {
      native = {
        enable = true;
        url = "https://git.skdevstudios.com";
        name = "nix";
        labels = [ "native:host" ];
        tokenFile = config.sops.secrets.forgejo-runners-token.path;
        hostPackages = with pkgs; [
          nix
          opentofu
          nodejs
          git
          bash
          coreutils
          curl
        ];
      };
    };
  };
  deploy = {
    address = "201:ea26:66c7:657b:3599:63a6:c66c:d388";
  };
  services = {
    tty-ips.enable = true;
  };
  networking = {
    firewall.enable = lib.mkForce false;
    hostName = "forgejo-runner-tofu";
  };
  environment.systemPackages = [
  ];
  system.stateVersion = "25.05";
}