{
  config,
  lib,
  pkgs,
  utils,
  ...
}:
let
  inherit (utils) escapeSystemdPath;
in
{

  # note:
  # I can't for some reason use any run-on: ubuntu-latest (docker container) to build docker contains,
  # I have to use native and run the docker commands via `run: docker build ...`.
  #
  # `run-on: ubuntu-latest` and `docker/login-action` or `docker/build-and-push-action` does not work.

  nix.settings.allowed-users = [
    "*"
    "gitea-runner"
  ];

  users.users.gitea-runner = {
    isSystemUser = true;
    group = "gitea-runner";
  };
  users.groups.gitea-runner = { };

  clan.core.facts.services.gitea-runner = {
    secret."gitea-runner.token" = { };
    generator = {
      prompt = "please enter your gitea-runner password";
      path = with pkgs; [ coreutils ];
      script = ''
        echo "TOKEN=$prompt_value" > "$secrets"/gitea-runner.token
      '';
    };
  };

  systemd.services."gitea-runner-orbi" = {
    serviceConfig = {
      DynamicUser = lib.mkForce false;
    };
    environment = {
      # make docker build output readable
      BUILDKIT_PROGRESS = "plain";
    };
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances."orbi" = {
      enable = true;
      settings = {
        runner = {
          timeout = "12h";
        };
        #container.network = "host";
        #container.network = "bridge";
        #container.docker_host = "unix:///var/run/podman/podman.sock";
      };
      hostPackages = [
        pkgs.bash
        pkgs.coreutils
        pkgs.curl
        pkgs.gawk
        pkgs.gitMinimal
        pkgs.gnused
        pkgs.nodejs
        pkgs.wget
        pkgs.nix
        pkgs.openssh
        pkgs.podman
        pkgs.docker
      ];
      url = "https://git.ingolf-wagner.de";
      tokenFile = config.clan.core.facts.services.gitea-runner.secret."gitea-runner.token".path;
      name = "orbi";

      labels = [
        # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
        # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
        # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
        # If it's empty when registering, it will ask for inputting labels.
        # If it's empty when execute `daemon`, will use labels in `.runner` file.
        "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
        "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
        "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"

        # provide native execution on the host
        "native:host"

        # provide a debian base with nodejs for actions
        #"debian-latest:docker://node:18-bullseye"
        # fake the ubuntu name, because node provides no ubuntu builds
        #"ubuntu-latest:docker://node:18-bullseye"
      ];
    };
  };

}