inp: {
  flake.modules.nixos.server = {
    pkgs,
    config,
    lib,
    ...
  }: {
    sops.secrets."forgejo/token" = {};

    services.gitea-actions-runner = lib.mkIf config.services.forgejo.enable {
      package = pkgs.forgejo-runner;
      instances.default = {
        enable = true;
        name = "monolith";
        url = "https://git.${inp.config.flake.meta.web.domain.domain}";
        # Obtaining the path to the runner token file may differ
        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
        tokenFile = "/run/secrets/forgejo/token";
        labels = [
          "ubuntu-latest:docker://node:16-bullseye"
          "ubuntu-22.04:docker://node:16-bullseye"
          "ubuntu-20.04:docker://node:16-bullseye"
          "ubuntu-18.04:docker://node:16-buster"
          ## optionally provide native execution on the host:
          # "native:host"
        ];
      };
    };

    virtualisation.docker.enable = true;
  };
}