{ pkgs, ... }:
{
  networking.firewall.trustedInterfaces = [ "br-+" ];

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.default = {
      enable = true;
      name = "ci.sinerva.eu";
      url = "https://forgejo.sinerva.eu";
      tokenFile = "/persist/secrets/forgejo_token";
      labels = [
        "ubuntu-24.04-lts:docker://ubuntu:24.04"
        "ubuntu-22.04:docker://node:24-bullseye"
        "nixos-latest:docker://nixos/nix"
      ];
      settings = {
        container = {
          network = "";
          enable_ipv6 = true;
        };
      };
    };
  };

  virtualisation.docker = {
    enable = true;
    daemon.settings = {
      fixed-cidr-v6 = "fd72:23ed:7025::/64";
      ipv6 = true;
      ip6tables = true;
      experimental = true;
      default-address-pools = [
        {
          base = "172.30.0.0/16";
          size = 24;
        }
        {
          base = "fd4e:cdc2:4c34::/64";
          size = 96;
        }
      ];
    };
  };
}