{
  config,
  pkgs,
  ...
}:
let
  inherit (pkgs.callPackage ../../system/gitlab-runner.nix { }) mkNixRunnerFull;
in
{
  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
  virtualisation.docker.enable = true;
  services.gitlab-runner = {
    enable = true;
    settings.concurrent = 4;
    services = {
      wopus-gitlab-nix = mkNixRunnerFull {
        authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path;
        nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path;
        nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path;
      };
    };
  };
  systemd.services.gitlab-runner.serviceConfig.Nice = 10;

  sops.secrets = {
    "gitlab-runners/wopus-gitlab-nix" = {
      sopsFile = ../../secrets/double-rainbow/default.yaml;
    };
    "gitlab-runners/wopus-ssh-nix-cache-pk" = {
      sopsFile = ../../secrets/double-rainbow/default.yaml;
    };
    "gitlab-runners/wopus-ssh-nix-cache-pub" = {
      sopsFile = ../../secrets/double-rainbow/default.yaml;
    };
  };
}