{ config, lib, pkgs, ... }:
{
  # Trust podman interfaces so containers can reach the runner's cache service.
  # "podman+" is a wildcard matching any interface starting with "podman".
  networking.firewall.trustedInterfaces = [ "podman+" ];

  virtualisation.podman = {
    enable = true;
    dockerCompat = true;
    dockerSocket.enable = true;
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;

    instances.actions1 = {
      enable = true;
      name = config.networking.hostName;
      url = "https://code.t-juice.club";
      tokenFile = lib.mkDefault "/var/lib/forgejo-runner/token";
      labels = [
        "nix:docker://code.t-juice.club/torjus/runner-images/nix:latest"
        "node-bookworm:docker://node:lts-bookworm-slim"
        "alpine:docker://alpine:latest"
        "golang:docker://code.t-juice.club/torjus/runner-images/golang:latest"
      ];
      settings = {
        runner.capacity = lib.mkDefault 2;
        cache = {
          enabled = true;
          dir = "/var/lib/gitea-runner/actions1/cache";
        };
        container.privileged = false;
      };
    };
  };
}