{ config, pkgs, ... }: 

let 
  UID = 1126;
in {
  desu.secrets.forgejo-runners-token = {};
  desu.secrets.forgejo-runners-token-sf = {};

  users.users.actions-runner = {
    isNormalUser = true;
    uid = 1126;
  };

  systemd.services.actions-runner-build-dind = {
    description = "dind image builder for actions runner";
    after = [ "docker.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${pkgs.docker}/bin/docker build -t local/actions-runner-dind ${pkgs.copyPathToStore ./image-dind}";
    };
  };

  systemd.services.gitea-runner-koi.requires = [ "actions-runner-build-dind.service" ];
  systemd.services.gitea-runner-koi-stupid-fish.requires = [ "actions-runner-build-dind.service" ];

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.koi = {
      name = "koi";
      enable = true;
      url = "https://git.stupid.fish";
      tokenFile = config.desu.secrets.forgejo-runners-token-sf.path;
      labels = [
        "node18:docker://node:18-bullseye"
        "node20:docker://node:20-bullseye"
        "node22:docker://node:22-bullseye"
        # fun fact: the actual image doesnt matter! it's only used to determine the runner
        "docker:docker://node:22-bullseye"
      ];
      settings = {
        runner.capacity = 8;
      };
    };

    # a separate runner for dind because it requires privileged mode and act-runner doesnt support setting --privileged for certain images
    instances.koi-dind = {
      name = "koi-dind";
      enable = true;
      url = "https://git.stupid.fish";
      tokenFile = config.desu.secrets.forgejo-runners-token-sf.path;
      labels = [
        "docker-dind:docker://local/actions-runner-dind"
      ];
      settings = {
        container.privileged = true;
      };
    };
  };
}