{ pkgs, config, ... }:
{
  imports = [
    ../cachix.nix
  ];
  environment.systemPackages = with pkgs; [
    # vim -- added by srvos.nixosModules.server
    # git -- srvos.nixosModules.server
    # tmux -- srvos.nixosModules.server
    cachix
    lazydocker
    lazygit
    nodejs_20 # required by actions such as checkout
    openssl
  ];

  sops.secrets."forgejo-runner-token" = {
    # configure secret for the gitea/forgejo runner.
    sopsFile = ./secrets.sops.yaml;
    mode = "0444";
    restartUnits = [ "gitea-runner-default.service" ];
  };

  # Required for the gitea-runner to be able to pull images.
  nix.settings.trusted-users = [ "gitea-runner" ];

  users = {
    groups.gitea-runner = { };

    users = {
      gitea-runner = {
        isNormalUser = true;
        extraGroups = [ "docker" ];
        group = "gitea-runner";
      };

      jahanson = {
        isNormalUser = true;
        extraGroups = [ "wheel" "docker" ];
      };
    };
  };

  virtualisation.docker.enable = true;

  # Runner communication port for cache restores.
  networking.firewall.allowedTCPPorts = [ 45315 ];

  system.stateVersion = "24.05";
}