{
  config,
  pkgs,
  lib,
  sec,
  ...
}:
let
  url = config.services.forgejo.settings.server.ROOT_URL;
  cfg = config.machine.forgejo;
in
with lib;
mkIf cfg.enableRunner {
  sops.secrets = {
    "forgejo/runnerToken" = {
      sopsFile = ./../../secrets/common.yaml;
    };
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.default = {
      name = "forgejo-runner";
      enable = cfg.enableRunner;
      tokenFile = sec."forgejo/runnerToken".path;
      inherit url;
      labels = [
        "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
        "ubuntu-26.04:docker://ghcr.io/catthehacker/ubuntu:act-26.04"
        "ubuntu-24.04:docker://ghcr.io/catthehacker/ubuntu:act-24.04"
        "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
        "nixos:docker://nixos/nix:latest"
        "nixos-2.34.4:docker://nixos/nix:2.34.4"
      ];
      settings = {
        container = {
          network = "host";
        };
      };
    };
  };
}