{ host, config, pkgs, ... }:
{
  imports = [
    ./hardware-configuration.nix
  ];
  sops.secrets = {
    "password" = {
      sopsFile = ../../secrets/k8s.yaml;
    };
    forgejo-runner = {
      sopsFile = ../../secrets/forgejo-runner.yaml;
    };
  };
  system-sys.zram = false;
  networking = {
    hostId = "81238132";
    firewall = {
      allowedTCPPorts = [
        22
        10250
        25565 #mc
        25566 #mc
      ];
    };
  };
  virtualisation.docker = {
    enable = true;
    extraOptions = "--dns 1.1.1.1";
  };
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.default = {
      enable = true;
      name = host.hostName;
      url = "https://git.10110110.xyz";
      tokenFile = config.sops.secrets.forgejo-runner.path;
      labels = [
        "ubuntu-latest:docker://node:24-bullseye"
        "nix-upstream-latest:docker://nixos/nix:latest"
        "nix-latest:docker://git.10110110.xyz/ci/nix"
      ];
    };
  };
  services.k3s = {
    enable = true;
    role = "agent";
    extraFlags = toString [
      "--flannel-iface=tailscale0"
    ];
    tokenFile = config.sops.secrets."password".path;
    serverAddr = "https://consensus:6443";
  };
  systemd.services.k3s = {
    preStart = ''
      until ${pkgs.tailscale}/bin/tailscale status; do
        sleep 1
      done
    '';
  };
  services.logind.settings.Login.HandleLidSwitch = "ignore";
  services.logind.settings.Login.HandleLidSwitchExternalPower = "ignore";
  hardware.enableRedistributableFirmware = true;
  hardware.firmware = [ pkgs.linux-firmware ];
  system.stateVersion = "23.11";
}