{ pkgs, config, ... }:
{
  vault.secrets.actions-token = {
    secretPath = "hosts/nix-cache01/actions-token";
    extractKey = "token";
    outputDir = "/run/secrets/actions-token-1";
    services = [ "gitea-runner-actions1" ];
  };

  virtualisation.podman = {
    enable = true;
    dockerCompat = true;
  };

  services.gitea-actions-runner.instances = {
    actions1 = {
      enable = true;
      tokenFile = "/run/secrets/actions-token-1";
      name = "actions1.home.2rjus.net";
      settings = {
        log = {
          level = "debug";
        };

        runner = {
          file = ".runner";
          capacity = 4;
          timeout = "2h";
          shutdown_timeout = "10m";
          insecure = false;
          fetch_timeout = "10s";
          fetch_interval = "30s";
        };

        cache = {
          enabled = true;
          dir = "/var/cache/gitea-actions1";
        };

        container = {
          privileged = false;
        };
      };
      labels =
        builtins.map (n: "${n}:docker://gitea/runner-images:${n}") [
          "ubuntu-latest"
          "ubuntu-latest-slim"
          "ubuntu-latest-full"
        ]
        ++ [
          "homelab"
        ];

      url = "https://git.t-juice.club";
    };
  };
}