# Stolen from https://git.neet.dev/zuckerberg/nix-config/src/branch/master/common/server/gitea-actions-runner.nix
{ config, lib, pkgs, ... }:

let
  cfg = config.sydnix.gitea-actions-runner;
  container-name = "gitea-actions-runner";
  gitea-actions-runner-uid = 991;
  gitea-actions-runner-gid = 989;
  token-file = config.sops.secrets.gitea-actions-runner-token.path;
in {
  options.sydnix.gitea-actions-runner = {
    enable = lib.mkEnableOption "Gitea actions runner";
  };

  config = lib.mkIf cfg.enable {
    sydnix.sops.secrets.gitea-actions-runner-token = {};

    sydnix.impermanence.directories = [ "/var/lib/gitea-actions-runner" ];

    containers.${container-name} = {
      autoStart = true;
      ephemeral = true;

      bindMounts = {
        ${token-file} = {
          hostPath = token-file;
          isReadOnly = true;
        };
        "/var/lib/gitea-actions-runner" = {
          hostPath = "/var/lib/gitea-actions-runner";
          isReadOnly = false;
        };
      };

      config = { config, lib, pkgs, ... }: {
        system.stateVersion = "25.11";

        services.gitea-actions-runner.instances.sydpc = {
          enable = true;
          name = "sydpc";
          url = "https://git.deertopia.net/";
          tokenFile = token-file;
          labels = [ "nixos:host" ];
	  hostPackages = with pkgs; [
	    bash
	    coreutils
	    curl
	    gawk
	    gitMinimal
	    gnused
	    nodejs
	    wget
	    nix
	  ];
        };

        # Disable dynamic user so runner state persists via bind mount
	assertions = [{
	  assertion = config.systemd.services.gitea-actions-runner-sydpc.enable;
	  message = ''
	    Expected systemd service 'gitea-actions-runner-sydpc' is not
	    enabled — the gitea-actions-runner module may have changed
	    its naming scheme.
	  '';
	}];
        systemd.services.gitea-actions-runner-sydpc.serviceConfig.DynamicUser
	  = lib.mkForce false;
        users.users.gitea-actions-runner = {
          uid = gitea-actions-runner-uid;
          home = "/var/lib/gitea-actions-runner";
          group = "gitea-actions-runner";
          isSystemUser = true;
          createHome = true;
        };
        users.groups.gitea-actions-runner.gid = gitea-actions-runner-gid;

        nix.settings.experimental-features = [ "nix-command" "flakes" ];

        environment.systemPackages = with pkgs; [
          git
          nodejs
          jq
          attic-client
        ];
      };
    };

    # Needs to be outside of the container because container uses's
    # the host's nix-daemon
    nix.settings.trusted-users = [ "gitea-actions-runner" ];

    # Matching user on host — the container's gitea-actions-runner UID must be
    # recognized by the host's nix-daemon as trusted (shared UID namespace)
    users.users.gitea-actions-runner = {
      uid = gitea-actions-runner-uid;
      home = "/var/lib/gitea-actions-runner";
      group = "gitea-actions-runner";
      isSystemUser = true;
      createHome = true;
    };
    users.groups.gitea-actions-runner.gid = gitea-actions-runner-gid;
  };
}