diff --git a/flake.nix b/flake.nix
index 811961d..5a07765 100644
--- a/flake.nix
+++ b/flake.nix
@@ -60,6 +60,7 @@
         nixng/containers/email/postfix
         nixng/containers/ds3os
         nixng/containers/gitea
+        nixng/containers/hydra
         nixng/containers/syncthing
 
         overlays/udp-over-tcp.nix
diff --git a/nixng/containers/hydra/default.nix b/nixng/containers/hydra/default.nix
new file mode 100644
index 0000000..e9d0856
--- /dev/null
+++ b/nixng/containers/hydra/default.nix
@@ -0,0 +1,13 @@
+{ inputs, lib, ... }:
+let
+  callPackage = lib.callPackagesWith {
+    inherit (inputs.nixng.nglib)
+      makeSystem;
+    inherit (inputs)
+      nixpkgs;
+  };
+in
+{
+  flake.nixngConfigurations.hydraPostgreSQL = callPackage ./postgresql.nix {};
+  flake.nixngConfigurations.hydra = callPackage ./hydra.nix {};
+}
diff --git a/nixng/containers/hydra/hydra.nix b/nixng/containers/hydra/hydra.nix
new file mode 100644
index 0000000..ecc3edb
--- /dev/null
+++ b/nixng/containers/hydra/hydra.nix
@@ -0,0 +1,118 @@
+{ makeSystem
+, nixpkgs
+}:
+makeSystem {
+  system = "x86_64-linux";
+  name = "nixng-hydra";
+  inherit nixpkgs;
+  config = { pkgs, config, lib, nglib, ... }:
+    {
+      config = {
+        dumb-init = {
+          enable = true;
+          type.services = {};
+        };
+        nix = {
+          package = pkgs.nixUnstable;
+          loadNixDb = true;
+          persistNix = "/nix-persist";
+          config = {
+            experimental-features = [ "nix-command" "flakes" ];
+            sandbox = true;
+            trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
+            substituters = [ "https://cache.nixos.org/" ];
+            ignored-acls = [ "system.nfs4_acl" ];
+            allowed-uris = [
+              "https://gitea.redalder.org"
+              "https://github.com"
+              "https://gitlab.com"
+              "https://git.sr.ht"
+              "https://raw.githubusercontent.com"
+              "https://media.forgecdn.net"
+            ];
+
+            builders-use-substitutes = true;
+            builders = "@/etc/nix/machines";
+          };
+        };
+        services.hydra = {
+          enable = true;
+          hydraURL = "https://hydra.redalder.org";
+          notificationSender = "hydra@redalder.org";
+          useSubstitutes = true;
+          adjustNiceness = true;
+
+          minimumDiskFree = 200;
+          minimumDiskFreeEvaluator = 100;
+
+          dbiFile = "/local/dbi";
+        };
+        services.socklog = {
+          enable = true;
+          unix = "/dev/log";
+        };
+
+        init.services.pgpass = {
+          script = pkgs.writeShellScript "pgpass" ''
+              ln -nsf /secrets/pgpass /var/lib/hydra/pgpass
+              ln -nsf /secrets/pgpass-www /var/lib/hydra/pgpass-www
+              ln -nsf /secrets/pgpass-queue-runner /var/lib/hydra/pgpass-queue-runner
+
+              chown hydra:hydra /secrets/pgpass
+              chown hydra-www:hydra /secrets/pgpass-www
+              chown hydra-queue-runner:hydra /secrets/pgpass-queue-runner
+              sv down pgpass
+            '';
+          enabled = true;
+        };
+
+        init.services.nix-daemon.environment.PATH = with pkgs;  lib.makeBinPath [
+          utillinux
+          runit
+          busybox
+          openssh
+          gzip
+        ];
+
+        system.activation =
+          let
+            machines = pkgs.writeText "machines" ''
+              eu.nixbuild.net x86_64-linux - 100 5 benchmark,big-parallel
+            '';
+            nix-machines = nglib.dag.dagEntryAnywhere ''
+              export PATH=${pkgs.busybox}/bin
+
+              mkdir -p /etc/nix
+              ln -s ${machines} /etc/nix/machines
+            '';
+
+            ssh_config = pkgs.writeText "ssh_config" ''
+              Host eu.nixbuild.net
+                PubkeyAcceptedKeyTypes ssh-ed25519
+                IdentityFile /ssh-key
+            '';
+            ssh_known_hosts = pkgs.writeText "ssh_known_hosts" ''
+              eu.nixbuild.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM
+            '';
+            ssh = nglib.dag.dagEntryAnywhere ''
+              export PATH=${pkgs.busybox}/bin
+
+              mkdir -p /etc/ssh
+              ln -s ${ssh_config} /etc/ssh/ssh_config
+              ln -s ${ssh_known_hosts} /etc/ssh/ssh_known_hosts
+            '';
+
+            ssh-key = nglib.dag.dagEntryAfter ["users"] ''
+              export PATH=${pkgs.busybox}/bin
+
+              cp /secrets/ssh-key /ssh-key
+              chmod 600 /ssh-key
+              chown hydra-queue-runner:root /ssh-key
+            '';
+          in
+            {
+              inherit ssh-key ssh nix-machines;
+            };
+      };
+    };
+}
diff --git a/nixng/containers/hydra/postgresql.nix b/nixng/containers/hydra/postgresql.nix
new file mode 100644
index 0000000..c5de5cb
--- /dev/null
+++ b/nixng/containers/hydra/postgresql.nix
@@ -0,0 +1,41 @@
+{ makeSystem
+, nixpkgs
+}:
+let
+  inherit (nixpkgs.lib)
+    singleton;
+in
+makeSystem {
+  system = "x86_64-linux";
+  name = "nixng-hydra-postgresql";
+  inherit nixpkgs;
+  config = { pkgs, config, ... }:
+    {
+      config = {
+        dumb-init = {
+          enable = true;
+          type.services = {};
+        };
+        services.postgresql = {
+          enable = true;
+          package = pkgs.postgresql_12;
+
+          initialScript = "/secrets/init.sql";
+          enableTCPIP = true;
+
+          authentication = "host  all all all          md5";
+
+          ensureDatabases = [ "hydra" ];
+          ensureExtensions = {
+            "pg_trgm" = [ "hydra" ];
+          };
+          ensureUsers = singleton {
+            name = "hydra";
+            ensurePermissions = {
+              "DATABASE \"hydra\"" = "ALL PRIVILEGES";
+            };
+          };
+        };
+      };
+    };
+}