{ pkgs, config, lib, ... }:
{
  imports = [
    ../cachix.nix
  ];
  environment.systemPackages = with pkgs; [
    # vim -- added by srvos.nixosModules.server
    # git -- srvos.nixosModules.server
    # tmux -- srvos.nixosModules.server
    cachix
    lazydocker
    lazygit
    nodejs_20 # required by actions such as checkout
    openssl
  ];

  sops.secrets."forgejo-runner-token" = {
    # configure secret for forwarding rules
    sopsFile = ./secrets.sops.yaml;
    mode = "0444";
    restartUnits = [ "gitea-runner-default.service" ];
  };

  sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64" = {
    # configure secret for cachix deploy agent. 
    sopsFile = ./secrets.sops.yaml;
    mode = "0444";
    restartUnits = [ "cachix-agent.service" ];
  };

  nix.settings.trusted-users = [ "gitea-runner" ];

  virtualisation.docker.enable = true;

  users.users.gitea-runner.group = "gitea-runner";
  users.groups.gitea-runner = { };
  users.users.gitea-runner.extraGroups = [ "docker" ];
  users.users.gitea-runner.isNormalUser = true;

  # Runner communication port for cache restores.
  networking.firewall.allowedTCPPorts = [ 45315 ];

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances.default = {
      enable = true;
      name = "fj-hetzner-aarch64";
      url = "https://git.hsn.dev";
      # Obtaining the path to the runner token file may differ
      tokenFile = config.sops.secrets.forgejo-runner-token.path;
      labels = [
        "aarch64"
        "linux"
        "pc"
        "docker-aarch64:docker://node:20-bullseye"
        "native-aarch64:host"
      ];
    };
  };

  services.cachix-agent = {
    enable = true;
    credentialsFile = config.sops.secrets."cachix/agent_auth_tokens/fj-hetzner-aarch64".path;
  };

  system.stateVersion = "24.05";
}