{
  config,
  pkgs,
  lib,
  inputs,
  ...
}:
with lib; let
  name = "forgejo_runner";
  cfg = config.services.skynet."${name}";
in {
  imports = [
  ];

  options.services.skynet."${name}" = {
    enable = mkEnableOption "Skynet ForgeJo Runner";

    runner = {
      name = mkOption {
        type = types.str;
        default = config.networking.hostName;
      };

      website = mkOption {
        default = "https://forgejo.skynet.ie";
        type = types.str;
      };

      user = mkOption {
        default = "gitea-runner";
        type = types.str;
      };
    };
  };

  config = mkIf cfg.enable {
    # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
    environment.systemPackages = with pkgs; [
      forgejo-actions-runner
    ];

    age.secrets.forgejo_runner_token = {
      file = ../../secrets/forgejo/runners/token.age;
      owner = cfg.runner.user;
      group = cfg.runner.user;
    };

    # make sure the ssh config stuff is in teh right palce
    systemd.tmpfiles.rules = [
      #"d  /home/${cfg.runner.user}             0755 ${cfg.runner.user} ${cfg.runner.user}"
      "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user}  -   ${./ssh_config}"
    ];
    age.secrets.forgejo_runner_ssh = {
      file = ../../secrets/forgejo/runners/ssh.age;
      mode = "600";
      owner = "${cfg.runner.user}";
      group = "${cfg.runner.user}";
      symlink = false;
      path = "/home/${cfg.runner.user}/.ssh/skynet/root";
    };

    nix = {
      settings = {
        trusted-users = [
          # allow the runner to build nix stuff and to use the cache
          "gitea-runner"
        ];
        trusted-public-keys = [
          "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
          "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        ];
        substituters = [
          "https://nix-cache.skynet.ie/skynet-cache/"
          "https://cache.nixos.org/"
        ];
        trusted-substituters = [
          "https://nix-cache.skynet.ie/skynet-cache/"
          "https://cache.nixos.org/"
        ];
      };
    };

    # very basic setup to always be watching for changes in teh cache
    systemd.services.attic-uploader = {
      enable = true;
      serviceConfig = {
        ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
        User = "root";
        Restart = "always";
        RestartSec = 1;
      };
    };

    # give teh runner user a home to store teh ssh config stuff
    systemd.services.gitea-runner-default.serviceConfig = {
      DynamicUser = lib.mkForce false;
      User = lib.mkForce cfg.runner.user;
    };
    users = {
      groups."${cfg.runner.user}" = {};
      users."${cfg.runner.user}" = {
        #isSystemUser = true;
        isNormalUser = true;
        group = cfg.runner.user;
        createHome = true;
        shell = pkgs.bash;
      };
    };

    # the actual runner
    services.gitea-actions-runner = {
      package = pkgs.forgejo-actions-runner;
      instances.default = {
        enable = true;
        name = cfg.runner.name;
        url = cfg.runner.website;
        tokenFile = config.age.secrets.forgejo_runner_token.path;
        labels = [
          ## optionally provide native execution on the host:
          "nix:host"
          "docker:docker://node:16-bullseye"
          "ubuntu-latest:docker://node:16-bullseye"
        ];

        hostPackages = with pkgs; [
          # default ones
          bash
          coreutils
          curl
          gawk
          gitMinimal
          gnused
          nodejs
          wget

          # useful to have in path
          jq
          which
          dpkg
          zip
          git-lfs

          # used in deployments
          inputs.colmena.defaultPackage."x86_64-linux"
          attic-client
          nix
          openssh
        ];
      };
    };
  };
}