{ lib, config, pkgs, ... }:

{
    virtualisation = {
      podman ={
        enable = true;
        autoPrune.enable = true;
        dockerCompat = true;
      };
      containers.containersConf.settings = {
        # podman seems to not work with systemd-resolved
        containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
      };
    };

    services.gitea-actions-runner.instances = {
        cirunner = {
            enable = true;
            url = "https://git.kabtop.de";
            name = "CI Kabtop runner";
            tokenFile = config.age.secrets."services/gitea/cirunner-token".path;
            labels = [ 
              "ci"
              "debian-latest:docker://node:18-bullseye"
              "ubuntu-latest:docker://node:16-bullseye"
              "ubuntu-22.04:docker://node:16-bullseye"
              "ubuntu-20.04:docker://node:16-bullseye"
              "ubuntu-18.04:docker://node:16-buster"
              "native:host"
            ];
            hostPackages = with pkgs; [
              bash
              coreutils
              curl
              gawk
              gitMinimal
              gnused
              nodejs
              wget
            ];
            settings = {
             # container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
               # the default network that also respects our dns server settings
              container.network = "host";
              container.privileged = false;
             # container.valid_volumes = [
             #   "/nix"
             #   "${storeDeps}/bin"
             #   "${storeDeps}/etc/ssl"
             # ];
            };
        };
    };

    age.secrets."services/gitea/cirunner-token" = {
      file = ../../../secrets/services/gitea/cirunner-token.age;
      owner = "gitea-runner";
    };
}