{
  config,
  pkgs,
  inputs,
  lib,
  system,
  ...
}: let
  unstable = inputs.nixpkgs-nixos-unstable;
  package = unstable.legacyPackages."${system}".forgejo-runner;
in {
  disabledModules = ["services/continuous-integration/gitea-actions-runner.nix"];
  imports = [
    "${unstable}/nixos/modules/services/continuous-integration/gitea-actions-runner.nix"
  ];

  sops.secrets."gitea-runner-token" = {
    sopsFile = ./gitea-runner-token.sops;
    format = "binary";
  };
  virtualisation.docker = {
    enable = true;
    autoPrune.enable = true;
    daemon.settings = {
      fixed-cidr-v6 = "fd00::/80";
      ipv6 = true;
    };
  };

  services.gitea-actions-runner = {
    inherit package;
    instances.cupsnet-local = {
      enable = true;
      url = "https://git.cyplo.dev";
      tokenFile = config.sops.secrets."gitea-runner-token".path;
      name = "cupsnet local";
      settings = {
        runner.capacity = 1; #mem limit
        container.network = "host";
        cache = {
          enabled = true;
          port = 40135;
        };
      };
      hostPackages = with pkgs; [
        bash
        coreutils
        curl
        gawk
        gitMinimal
        gnused
        nodejs
        wget
        sudo
        nix
      ];
      labels = [
        "flakes-action:docker://git.cyplo.dev/cyplo/base-images/flakes-action:latest"
        "linux_amd64:host"
      ];
    };
  };
}