{
  config,
  lib,
  ...
}:
# hydra user needs to be manually crated
# sudo -u hydra -s
# hydra-create-user $USERNAME --password $PASSWORD --role admin
# https://qfpl.io/posts/nix/starting-simple-hydra/
# also for reference a well written hydra config:
# https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix
with lib;
let
  cacheDir = "/var/cache/hydra";
in
mkIf (elem "hydra" config.machine.services) {
  # also take a look at ../conf/nix.nix
  nix.buildMachines = [
    {
      hostName = "localhost";
      system = "x86_64-linux";
      supportedFeatures = [
        "kvm"
        "nixos-test"
        "big-parallel"
        "benchmark"
      ];
      maxJobs = 8;
    }
  ];

  services =
    let
      cfg = config.machine;
      inherit ((findFirst (s: s.service == "hydra") cfg cfg.vHosts)) domain;
    in
    {
      hydra = {
        enable = true;
        hydraURL = domain; # externally visible URL
        listenHost = "localhost";
        port = 3001;
        minimumDiskFree = 15;
        minimumDiskFreeEvaluator = 15;
        notificationSender = "hydra@mail.${cfg.domain}"; # e-mail of hydra service
        useSubstitutes = true;
        debugServer = false;
        # Hints from hydra-queue-runner:
        # binary_cache_dir is deprecated and ignored. use store_uri=file:// instead
        # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
        extraConfig = ''
          max_output_size = 4294967296
          store_uri = file://${cacheDir}?secret-key=${
            config.sops.secrets."services.hydra.secretKey".path
          }&write-nar-listing=1&ls-compression=br&log-compression=br
          # add ?local-nar-cache= to set nar cache location
          server_store_uri = https://cache.${cfg.domain}
          binary_cache_public_uri https://cache.${cfg.domain}
          upload_logs_to_binary_cache = true
        '';
      };

      nix-serve = {
        enable = true;
        bindAddress = "0.0.0.0";
        port = 5000;
        secretKeyFile = config.sops.secrets."services.hydra.secretKey".path;
        extraParams = ''
          # Dont know how to change the store root yet...
          # --user hydra-queue-runner
          # --group hydra
        '';
      };
    };
  systemd.services.nix-serve.serviceConfig.User = mkForce "hydra";
  systemd.services.nix-serve.environment.NIX_STORE_DIR = cacheDir;
  sops.secrets."services/hydra/secretKey" = {
    owner = "hydra";
    group = "hydra";
  };
}