{ config, pkgs, ... }:
{
  networking.firewall.trustedInterfaces = [ "podman+" ];

  virtualisation.podman = {
    enable = true;
    dockerSocket.enable = true;
    defaultNetwork.settings = {
      dns_enabled = true;
      ipv6_enabled = true;
    };
  };

  services.gitea-actions-runner = {
    package = pkgs.unstable.forgejo-runner;
    instances.main = {
      enable = true;
      name = "main";
      url = config.services.forgejo.settings.server.ROOT_URL;
      tokenFile = config.age.secrets."services/forgejo/runner-token".path;
      labels = [ "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest" ];
      settings.container.options = "--add-host=${config.services.forgejo.settings.server.DOMAIN}:host-gateway";
    };
  };
}