{
  nixpkgs,
  nixpkgs-git,
  nixpkgs-stable,
  pkgs,
  config,
  lib,
  ...
}:
let
  cfg = config.machine;
  emptyGlobalRegistry = pkgs.writeText "registry.json" ''{ "flakes": [], "version": 2 }'';
in
{
  nix = {
    package = pkgs.nix;
    registry = {
      nixpkgs.flake = nixpkgs;
      nixpkgs-git.flake = nixpkgs-git;
      nixpkgs-stable.flake = nixpkgs-stable;
    };
    settings = {
      max-jobs = 4;
      cores = 1;
      sandbox = true;
      auto-optimise-store = true;
      trusted-substituters = [
        "https://cache.nixos.org"
      ] ++ cfg.binaryCaches;
      # TODO: integrate into sops
      # trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ];
      substituters = [
        "https://cache.nixos.org"
      ] ++ cfg.binaryCaches;
      allowed-users = [ "root" ] ++ (map (n: n.name) cfg.administrators);
    };
    extraOptions = ''
      build-timeout = 86400  # 24 hours
      experimental-features = nix-command flakes
      flake-registry = ${emptyGlobalRegistry}
    '';
  };
}