{ pkgs, config, lib, ... }:
 {
  imports = [
    ../cachix.nix
  ];
  environment.systemPackages = with pkgs; [ 
    # vim -- added by srvos.nixosModules.server
    # git -- srvos.nixosModules.server
    # tmux -- srvos.nixosModules.server
    cachix
    lazydocker
    lazygit
    nodejs_20 # required by actions such as checkout
  ];

  sops.secrets."forgejo-runner-token" = {
    # configure secret for forwarding rules
    sopsFile = ./secrets.sops.yaml;
    mode = "0444";
    restartUnits = [ "gitea-runner-default.service" ];
  };

  nix.settings.trusted-users = [ "gitea-runner" ];
  users.users.jahanson = {
    isNormalUser = true;
    extraGroups = [ "wheel" "docker" ];
    initialPassword = "debug123";
  };
  
  virtualisation.docker.enable = true;

  users.users.gitea-runner.group = "gitea-runner";
  users.groups.gitea-runner = {};
  users.users.gitea-runner.extraGroups = [ "docker" ];
  users.users.gitea-runner.isNormalUser = true;

  # Runner communication port for cache restores.
  networking.firewall.allowedTCPPorts = [ 45315 ];

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances.default = {
      enable = true;
      name = "fj-shadowfax-x86_64";
      url = "https://git.hsn.dev";
      # Obtaining the path to the runner token file may differ
      tokenFile = config.sops.secrets.forgejo-runner-token.path;
      labels = [
        "docker:docker://node:20-bullseye"
        "x86_64"
        "linux"
        "pc"
        "docker-x86_64:docker://node:20-bullseye"
        "native-x86_64:host"
      ];
    };
  };
  system.stateVersion = "24.05";
}