{
  config,
  ...
}:

let
  vars = import ../vars.nix;
  act_path = vars.primary_act;
in
{
  virtualisation.oci-containers.containers.act-stable-latest-1 = {
    image = "gitea/act_runner:latest";
    extraOptions = [
      "--stop-signal=SIGINT"
    ];
    labels = {
      "com.centurylinklabs.watchtower.enable" = "true";
      "com.centurylinklabs.watchtower.scope" = "act-runner";
    };
    ports = [ "8088:8088" ];
    volumes = [
      "${act_path}/stable-latest-1/config.yaml:/config.yaml"
      "${act_path}/stable-latest-1/data:/data"
      "/var/run/docker.sock:/var/run/docker.sock"
    ];
    environment = {
      CONFIG_FILE = "/config.yaml";
      GITEA_RUNNER_NAME = "stable-latest-1";
    };
    environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
    log-driver = "local";
  };

  systemd = {
    timers."custom-watchtower@act-runner" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "20m";
        OnUnitActiveSec = "5m";
        Unit = "custom-watchtower@act-runner.service";
      };
    };
    services."custom-watchtower@act-runner" = {
      bindsTo = [ "docker.service" ];
      after = [ "docker.service" ];
      description = "a watchtower-esque script for systemd-based oci-containers";
      serviceConfig = {
        Type = "oneshot";
        User = "root";
        ExecStart = "${config.nix.package}/bin/nix ${./watchtower.bash} 'com.centurylinklabs.watchtower.scope' 'act-runner'";
      };
    };
  };

  sops.secrets = {
    "docker/act-runner" = {
      owner = "root";
      restartUnits = [
        "docker-act-stable-latest-1.service"
      ];
    };
  };
}