diff --git a/terranix/containers/hydra/default.nix b/terranix/containers/hydra/default.nix
new file mode 100644
index 0000000..83edf6f
--- /dev/null
+++ b/terranix/containers/hydra/default.nix
@@ -0,0 +1,54 @@
+{ config, elib, ... }:
+let
+  inherit (elib)
+    nfsVolume
+    nomadJob;
+
+  flake_host = "";
+  flake_rev = "";
+  flake_ref = "";
+  flake_sha = "";
+in
+{
+  resource."nomad_volume"."hydra-db" = nfsVolume {
+    volume_name = "hydra-db";
+    access_mode = "single-node-writer";
+    server = "blowhole.hosts.in.redalder.org";
+    share = "/var/nfs/hydra-db";
+    mount_flags = [ "nfsvers=3" "hard" "async" ];
+  };
+
+  resource."nomad_volume"."hydra-data" = nfsVolume {
+    volume_name   = "hydra-data";
+    access_mode = "single-node-writer";
+    server = "blowhole.hosts.in.redalder.org";
+    share = "/var/nfs/hydra-data";
+    mount_flags = [ "nfsvers=3" "hard" "async" ];
+  };
+
+  resource."nomad_volume"."hydra-nix" = nfsVolume {
+    volume_name   = "hydra-nix";
+    access_mode = "single-node-writer";
+    server = "blowhole.hosts.in.redalder.org";
+    share = "/var/nfs/hydra-nix";
+    mount_flags = [ "nfsvers=3" "hard" "async" ];
+  };
+
+  resource."vault_policy"."hydra-policy" = {
+    name = "hydra-policy";
+    policy = ''
+      path "kv/data/hydra" {
+        capabilities = ["read"]
+      }
+    '';
+  };
+
+  resource."nomad_job"."hydra" = nomadJob {
+    jobspec = ./job.hcl;
+
+    vars = {
+      flake_ref = "${flake_host}?rev=${flake_rev}&ref=${flake_ref}";
+      flake_sha = flake_sha;
+    };
+  };
+}
diff --git a/terranix/containers/hydra/job.hcl b/terranix/containers/hydra/job.hcl
new file mode 100644
index 0000000..247bfd7
--- /dev/null
+++ b/terranix/containers/hydra/job.hcl
@@ -0,0 +1,187 @@
+variable "flake_ref" {
+  type = string
+}
+
+variable "flake_sha" {
+  type = string
+}
+
+job "hydra" {
+  datacenters = [ "homelab-1" ]
+  type = "service"
+
+  constraint {
+    attribute = "${attr.unique.hostname}"
+    value = "blowhole"
+  }
+
+  group "svc" {
+    count = 1
+
+    volume "hydra-data" {
+      type = "csi"
+      source = "hydra-data"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+    }
+
+    volume "hydra-nix" {
+      type = "csi"
+      source = "hydra-nix"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+    }
+
+    volume "hydra-db" {
+      type = "csi"
+      source = "hydra-db"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+    }
+
+    restart {
+      attempts = 5
+      delay = "5s"
+    }
+
+    network {
+      mode = "bridge"
+    }
+
+    service {
+      name = "hydra"
+      port = "3000"
+
+      check {
+        type = "http"
+        address_mode = "alloc"
+        path = "/"
+        port = "3000"
+        interval = "2s"
+        timeout = "2s"
+      }
+
+      connect {
+        sidecar_service {}
+      }
+    }
+
+    task "hydra" {
+      driver = "docker"
+
+      volume_mount {
+        volume = "hydra-data"
+        destination = "/var/lib/hydra"
+        read_only = false
+      }
+
+      volume_mount {
+        volume = "hydra-nix"
+        destination = "/nix-persist"
+        read_only = false
+      }
+
+      config {
+        nix_flake_ref = "${var.flake_ref}#nixngSystems.hydra.config.system.build.toplevel"
+        nix_flake_sha = var.flake_sha
+        entrypoint = [ "init" ]
+
+        devices = [
+          {
+            host_path = "/dev/fuse"
+            container_path = "/dev/fuse"
+          }
+        ]
+        privileged = true
+      }
+
+      vault {
+        policies = ["hydra-policy"]
+      }
+
+      resources {
+        cpu = 4000
+        memory = 4096
+        memory_max = 8096
+      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/hydra" }}{{ .Data.data.nixbuild_key }}{{ end }}
+EOF
+        destination = "secrets/ssh-key"
+        perms = "400"
+      }
+
+      template {
+        data = <<EOF
+dbi:Pg:dbname=hydra;host=127.0.0.1;port=5432;user=hydra;
+EOF
+        destination = "local/dbi"
+      }
+
+      template {
+        data = <<EOF
+127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
+EOF
+        destination = "secrets/pgpass"
+        perms = "400"
+      }
+
+      template {
+        data = <<EOF
+127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
+EOF
+        destination = "secrets/pgpass-www"
+        perms = "400"
+      }
+
+      template {
+        data = <<EOF
+127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
+EOF
+        destination = "secrets/pgpass-queue-runner"
+        perms = "400"
+      }
+    }
+
+    task "postgresql" {
+      driver = "docker"
+
+      volume_mount {
+        volume = "hydra-db"
+        destination = "/var/lib/postgresql"
+        read_only = false
+      }
+
+      config {
+        nix_flake_ref = "${var.flake_ref}#nixngSystems.hydraPostgresql.config.system.build.toplevel"
+        nix_flake_sha = var.flake_sha
+        entrypoint = [ "init" ]
+      }
+
+      resources {
+        cpu = 500
+        memory = 128
+        memory_max = 256
+      }
+
+      template {
+        data = <<EOF
+alter user hydra with encrypted password '{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}';
+EOF
+        destination = "secrets/init.sql"
+      }
+
+      vault {
+        policies = ["hydra-policy"]
+      }
+    }
+  }
+}