{config, ...}: {
  sops.secrets.woodpecker-server = {};
  sops.secrets.woodpecker-agent-secret = {};
  services.woodpecker-server = {
    enable = true;
    environment = {
      WOODPECKER_SERVER_ADDR = ":8200";
      WOODPECKER_GRPC_ADDR = ":8300";
      WOODPECKER_HOST = "https://ci.flake.sh";
      WOODPECKER_OPEN = "false";
      WOODPECKER_GITEA = "true";
      WOODPECKER_GITEA_URL = "https://git.flake.sh";
      WOODPECKER_ADMIN = "notohh";
      WOODPECKER_AGENT_SECRET = config.sops.secrets.woodpecker-agent-secret.path;
      WOODPECKER_LOG_LEVEL = "debug";
      WOODPECKER_DEBUG_PRETTY = "true";
      WOODPECKER_KEEPALIVE_MIN_TIME = "10s";
    };
    environmentFile = config.sops.secrets.woodpecker-server.path;
  };

  services.woodpecker-agents.agents.nix = {
    enable = true;
    environment = {
      DOCKER_HOST = "unix:///var/run/docker.sock";
      WOODPECKER_BACKEND = "docker";
      WOODPECKER_SERVER = "localhost:8300";
      WOODPECKER_AGENT_SECRET = config.sops.secrets.woodpecker-agent-secret.path;
      WOODPECKER_LOG_LEVEL = "debug";
      WOODPECKER_DEBUG_PRETTY = "true";
      WOODPECKER_KEEPALIVE_MIN_TIME = "10s";
      WOODPECKER_HEALTHCHECK = "true";
    };
    extraGroups = ["docker"];
  };
}