{
  config,
  lib,
  pkgs,
  ...
}:

with lib;

let
  cfg = config.athenix.sw;
  builderCfg = cfg.builders;
in
mkIf builderCfg.giteaRunner.enable {
  services.gitea-actions-runner.instances.${builderCfg.giteaRunner.name} = {
    enable = true;
    url = builderCfg.giteaRunner.url;
    tokenFile = builderCfg.giteaRunner.tokenFile;
    labels = builderCfg.giteaRunner.extraLabels;
    name = builderCfg.giteaRunner.name;
  };

  # Configure the systemd service for better handling in LXC containers
  systemd.services."gitea-runner-${builderCfg.giteaRunner.name}" = {
    unitConfig = {
      # Only start the service if token file exists
      # This allows graceful deployment before the token is manually installed
      ConditionPathExists = builderCfg.giteaRunner.tokenFile;
    };
    serviceConfig = {
      # Give the service more time to stop cleanly
      TimeoutStopSec = mkForce 60;

      # Disable all namespace isolation features that don't work in LXC containers
      PrivateMounts = mkForce false;
      MountAPIVFS = mkForce false;
      BindPaths = mkForce [ ];
      BindReadOnlyPaths = mkForce [ ];
      PrivateTmp = mkForce false;
      PrivateDevices = mkForce false;
      ProtectSystem = mkForce false;
      ProtectHome = mkForce false;
      ReadOnlyPaths = mkForce [ ];
      InaccessiblePaths = mkForce [ ];
      PrivateUsers = mkForce false;
      ProtectKernelTunables = mkForce false;
      ProtectKernelModules = mkForce false;
      ProtectControlGroups = mkForce false;
    };
  };
}