{
  config,
  lib,
  ...
}:
# hydra user needs to be manually crated
# sudo -u hydra -s
# hydra-create-user $USERNAME --password $PASSWORD --role admin
# https://qfpl.io/posts/nix/starting-simple-hydra/
# also for reference a well written hydra config:
# https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix
with lib; let
  cacheDir = "/var/cache/hydra";
in
  mkIf (elem "hydra" config.machine.services) {
    # also take a look at ../conf/nix.nix
    nix.buildMachines = [
      {
        hostName = "localhost";
        system = "x86_64-linux";
        supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
        maxJobs = 8;
      }
    ];

    services = let
      cfg = config.machine;
      inherit ((findFirst (s: s.service == "hydra") cfg cfg.vHosts)) domain;
    in {
      hydra = {
        enable = true;
        hydraURL = domain; # externally visible URL
        listenHost = "localhost";
        port = 3001;
        minimumDiskFree = 15;
        minimumDiskFreeEvaluator = 15;
        notificationSender = "hydra@mail.${cfg.domain}"; # e-mail of hydra service
        useSubstitutes = true;
        debugServer = false;
        # Hints from hydra-queue-runner:
        # binary_cache_dir is deprecated and ignored. use store_uri=file:// instead
        # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
        extraConfig = ''
          max_output_size = 4294967296
          store_uri = file://${cacheDir}?secret-key=${config.sops.secrets."services.hydra.secretKey".path}&write-nar-listing=1&ls-compression=br&log-compression=br
          # add ?local-nar-cache= to set nar cache location
          server_store_uri = https://cache.${cfg.domain}
          binary_cache_public_uri https://cache.${cfg.domain}
          upload_logs_to_binary_cache = true
        '';
      };

      nix-serve = {
        enable = true;
        bindAddress = "0.0.0.0";
        port = 5000;
        secretKeyFile = config.sops.secrets."services.hydra.secretKey".path;
        extraParams = ''
          # Dont know how to change the store root yet...
          # --user hydra-queue-runner
          # --group hydra
        '';
      };
    };
    systemd.services.nix-serve.serviceConfig.User = mkForce "hydra";
    systemd.services.nix-serve.environment.NIX_STORE_DIR = cacheDir;
    sops.secrets."services/hydra/secretKey" = {
      owner = "hydra";
      group = "hydra";
    };
  }