{
  config,
  pkgs,
  ...
}: {
  sops.secrets."actions_runner/token" = {};

  virtualisation.docker.enable = true;

  sops.secrets."ssh/authorizedKeys/nix-deploy" = {};

  users.users.root.openssh.authorizedKeys.keyFiles = [
    config.sops.secrets."ssh/authorizedKeys/nix-deploy".path
  ];

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.default = {
      enable = true;
      name = "monolith";
      url = config.services.forgejo.settings.actions.DEFAULT_ACTIONS_URL;
      tokenFile = config.sops.secrets."actions_runner/token".path;
      labels = [
        "debian-latest:docker://debian:latest"
        "ubuntu-latest:docker://node:current-bullseye"
        "alpine-latest:docker://node:current-alpine"
        "nix-latest:docker://nixos/nix:latest"
        "archlinux-latest:docker://archlinux/archlinux:latest"
      ];
    };
  };
}