{
  config,
  pkgs,
  ...
}: {
  services.gitea-actions-runner = {
    instances.default = {
      enable = true;
      name = "${config.networking.hostName}-runner";
      url = "https://code.m3ta.dev";
      tokenFile = config.age.secrets.gitea-runner-token.path;

      # nixos:host is primary, ubuntu is fallback
      labels = [
        # Primary: Run directly on host (fastest, has Nix installed)
        "nixos:host"

        # Fallback: Docker-based execution for compatibility
        "ubuntu-latest:docker://node:18-bullseye"
        "ubuntu-22.04:docker://node:20-bullseye"
      ];

      # Host execution packages
      hostPackages = with pkgs; [
        git
        bash
        coreutils
        nix
        # Add any other tools you need for nix-update workflows
      ];

      # Advanced settings
      settings = {
        runner = {
          capacity = 1; # One job at a time (increase if you have resources)
          timeout = "4h"; # Nix builds can take a while
        };
        cache = {enabled = true;};
        container = {
          enable_ipv6 = true;
          privileged = false;
        };
      };
    };
  };

  # User management (auto-created by module, but ensuring proper setup)
  users.users.gitea-runner = {
    home = "/var/lib/gitea-runner";
    group = "gitea-runner";
    isSystemUser = true;
    createHome = true;
  };
  users.groups.gitea-runner = {};

  # Firewall: Allow Podman bridge networks for cache actions
  networking.firewall.trustedInterfaces = ["br-+"];
}