inputs:

{ config, lib, pkgs, ... }:

{
  options = with lib; {
    services.hydra.secretKeyLocation = mkOption {
      type = types.str;
      description = ''
        Absolute location to the secret key used to sign builds
      '';
    };
  };

  config = {
    services.hydra = {
      enable = true;
      hydraURL = lib.mkDefault "https://hydra.${config.networking.fqdn}";
      notificationSender = lib.mkDefault "hydra@${config.networking.fqdn}";
      # Don't build *everything* from source
      useSubstitutes = true;
      extraConfig = ''
        binary_cache_secret_key_file = ${config.services.hydra.secretKeyLocation}
        store_uri = auto?secret-key=${config.services.hydra.secretKeyLocation}
      '';
      package = pkgs.hydra-unstable;
    };

    nix.settings.allowed-users = [ "@hydra" ];

    networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
      config.services.hydra.port
    ];
  };
}