{
  config,
  pkgs,
  ...
}: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware.nix
  ];

  nixpkgs.config.allowUnfree = true;
  nix.settings.experimental-features = ["nix-command" "flakes"];
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  environment.systemPackages = with pkgs; [
    vim
    wget
    git
    htop
    tailscale
  ];

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances = {
      oracle-arm = {
        name = "oracle-arm";
        enable = true;
        labels = [
          "debian-latest-arm:docker://node:18-bullseye"
        ];
        url = "https://git.gmem.ca";
        token = "dcSqNPRfeAFjAA2NUzZRbO4Q2k1L2WOOCAEAhPR4";
        settings = {
          cache.port = 4328;
        };
      };
    };
  };

  programs.zsh.enable = true;
  programs.fish.enable = true;
  environment.shells = with pkgs; [zsh fish];

  networking = {
    hostName = "forgejo-action-runner";
    domain = "gmem.ca";
    nameservers = ["1.1.1.1" "1.0.0.1"];
    firewall = {
      trustedInterfaces = ["tailscale0"];
      checkReversePath = "loose";
      enable = true;
      allowedTCPPorts = [22 80 443 4328];
      allowedUDPPorts = [];
    };
    nftables.enable = true;
  };

  users.users = {
    root.openssh.authorizedKeys.keys = let
      authorizedKeys = pkgs.fetchurl {
        url = "https://gmem.ca/ssh";
        hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
      };
    in
      pkgs.lib.splitString "\n" (builtins.readFile
        authorizedKeys);
  };
  virtualisation = {
    docker = {
      enable = true;
    };
  };

  services.openssh.enable = true;
  services.tailscale.enable = true;
  system.stateVersion = "23.11";
}