{
  config,
  lib,
  pkgs,
  service_configs,
  ...
}:
{
  services.gitea-actions-runner.instances.muffin = {
    enable = true;
    name = "muffin";
    url = config.services.gitea.settings.server.ROOT_URL;
    tokenFile = config.age.secrets.gitea-runner-token.path;
    labels = [ "nix:host" ];
    hostPackages = with pkgs; [
      bash
      coreutils
      curl
      gawk
      git
      git-crypt
      gnugrep
      gnused
      jq
      nix
      nodejs
      openssh
    ];
    settings = {
      runner = {
        capacity = 1;
        timeout = "6h";
      };
    };
  };

  # Override DynamicUser to use our static gitea-runner user, and ensure
  # the runner doesn't start before the co-located gitea instance is ready
  # (upstream can't assume locality, so this dependency is ours to add).
  systemd.services."gitea-runner-muffin" = {
    requires = [ "gitea.service" ];
    after = [ "gitea.service" ];
    serviceConfig = {
      DynamicUser = lib.mkForce false;
      User = "gitea-runner";
      Group = "gitea-runner";
    };
    environment.GIT_SSH_COMMAND = "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts";
  };
}