{ config, pkgs, ... }:
{
  # Fetch runner token from Vault
  vault.secrets.forgejo-runner-token = {
    secretPath = "hosts/nix-cache02/forgejo-runner-token";
    extractKey = "token";
    mode = "0444";
    services = [ "gitea-runner-actions1" ];
  };

  # Override token source and runner capacity
  services.gitea-actions-runner.instances.actions1 = {
    tokenFile = "/run/secrets/forgejo-runner-token";
    settings.runner.capacity = 4;
  };

  # Fetch native runner token from Vault
  vault.secrets.forgejo-native-runner-token = {
    secretPath = "hosts/nix-cache02/forgejo-native-runner-token";
    extractKey = "token";
    mode = "0444";
    services = [ "gitea-runner-actions-native" ];
  };

  # Native nix runner instance (user-level, no containers)
  services.gitea-actions-runner.instances.actions-native = {
    enable = true;
    name = "${config.networking.hostName}-native";
    url = "https://code.t-juice.club";
    tokenFile = "/run/secrets/forgejo-native-runner-token";
    labels = [ "native-nix:host" ];
    hostPackages = with pkgs; [
      bash
      coreutils
      curl
      gawk
      git
      gnused
      nodejs
      wget
      nix
    ];
    settings = {
      runner.capacity = 4;
      cache = {
        enabled = true;
        dir = "/var/lib/gitea-runner/actions-native/cache";
      };
    };
  };
}