{ lib, config, pkgs, ... }:

{
    services.hydra = {
      enable = true;
      hydraURL = "http://localhost:3000";
      notificationSender = "hydra@localhost";
      useSubstitutes = true;
    };
    
    networking.firewall = {
      enable = true;
      #allowedUDPPorts = [  ];
      allowedTCPPorts = [ 3000 ];
    };

    nix = {
      settings.trusted-users = [
        "hydra"
      ];

      extraOptions = ''
        secret-key-files = ${config.age.secrets."keys/nixsign".path}
      '';
    };
    
    age.secrets."keys/nixsign" = {
      file = ../../../secrets/keys/nixservepriv.age;
      owner = "hydra";
    };


}