{ pkgs, config, hostname, ... }: {

    # Set up the secret for the password:
    sops.secrets."services/forgejo_token" = {
        owner = "root";
        mode = "0444"; # gitea-actions-runner uses "DynamicUser"
        sopsFile = ../../../secrets/secrets.yaml;
        restartUnits = [ "gitea-actions-runner-${hostname}.service" ];
    };

    services.gitea-actions-runner = {
        package = pkgs.gitea-actions-runner;
        instances."${hostname}" = {
            enable = true;
            name = "${hostname}";
            labels = [ "self-hosted:host://-self-hosted" ];
            url = "https://git.sysctl.io";
            tokenFile = /run/secrets/services/forgejo_token;
            hostPackages = with pkgs; [
                # Default
                bash
                coreutils
                curl
                gawk
                gitMinimal
                gnused
                nodejs
                wget

                # Extras
                sudo
                tailscale
                fish
            ];
        };
    };
}