{
  config,
  lib,
  pkgs,
  utils,
  ...
}:
let
  inherit (utils) escapeSystemdPath;
in
{

  virtualisation.podman.enable = true;

  #nix.settings.trusted-users = [ "root" "gitea-runner"];
  nix.settings.allowed-users = [
    "*"
    "gitea-runner"
  ];

  users.users.gitea-runner = {
    isSystemUser = true;
    group = "gitea-runner";
  };
  users.groups.gitea-runner = { };

  clan.core.facts.services.gitea-runner = {
    secret."gitea-runner.token" = { };
    generator = {
      prompt = "please enter your gitea-runner password";
      path = with pkgs; [ coreutils ];
      script = ''
        echo "TOKEN=$prompt_value" > "$secrets"/gitea-runner.token
      '';
    };
  };

  systemd.services."gitea-runner-orbi" = {
    serviceConfig = {
      DynamicUser = lib.mkForce false;
    };
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances."orbi" = {
      enable = true;
      settings = {
        runner = {
          timeout = "12h";
        };
      };
      hostPackages = [
        pkgs.bash
        pkgs.coreutils
        pkgs.curl
        pkgs.gawk
        pkgs.gitMinimal
        pkgs.gnused
        pkgs.nodejs
        pkgs.wget
        pkgs.nix
        pkgs.openssh
      ];
      url = "https://git.ingolf-wagner.de";
      tokenFile = config.clan.core.facts.services.gitea-runner.secret."gitea-runner.token".path;
      name = "orbi";

      labels = [
        # provide a debian base with nodejs for actions
        #"debian-latest:docker://node:18-bullseye"
        # fake the ubuntu name, because node provides no ubuntu builds
        #"ubuntu-latest:docker://node:18-bullseye"
        # provide native execution on the host
        "native:host"
      ];
    };
  };

}