{
  config,
  pkgs,
  inputs,
  ...
}:
let
  inherit (pkgs.callPackage ../../system/gitlab-runner.nix { inherit inputs; })
    mkNixRunner
    mkNixRunnerFull
    ;
in
{
  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
  virtualisation.docker.enable = true;
  services.gitlab-runner = {
    enable = true;
    settings = {
      concurrent = 2;
    };
    services = {
      # # runner for building in docker via host's nix-daemon
      # # nix store will be readable in runner, might be insecure
      # thoreb-telemetria-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-telemetria-nix".path;
      # thoreb-itinerario-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-itinerario-nix".path;

      wopus-gitlab-nix =
        (mkNixRunnerFull {
          authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path;
          # nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path;
          # nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path;
        })
        // {
          requestConcurrency = 2;
        };

      # default = ({
      #   # File should contain at least these two variables:
      #   # `CI_SERVER_URL`
      #   # `CI_SERVER_TOKEN`
      #   authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/docker-images-token".path;
      #   dockerImage = "debian:stable";
      #   dockerPullPolicy = "if-not-present";
      # })
      # // {
      #   requestConcurrency = 4;
      # };
    };
  };
  systemd.services.gitlab-runner.serviceConfig.Nice = 10;

  sops.secrets = {
    "gitlab-runners/thoreb-telemetria-nix" = { };
    "gitlab-runners/thoreb-itinerario-nix" = { };
    "gitlab-runners/docker-images-token" = { };
    "gitlab-runners/wopus-gitlab-nix" = { };
    "gitlab-runners/wopus-ssh-nix-cache-pk" = { };
    "gitlab-runners/wopus-ssh-nix-cache-pub" = { };
  };
}