diff --git a/modules/nixos/builder/default.nix b/modules/nixos/builder/default.nix
index fa45bb5..7e091e2 100644
--- a/modules/nixos/builder/default.nix
+++ b/modules/nixos/builder/default.nix
@@ -29,10 +29,14 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    nix.distributedBuilds = true;
+    nix.settings.builders-use-substitutes = true;
+
     nix.buildMachines = [
       {
         hostName = "builder.julian-mutter.de";
         protocol = "ssh";
+        sshUser = "nix";
         systems = [
           "x86_64-linux"
           "aarch64-linux"
@@ -48,8 +52,5 @@ in
         mandatoryFeatures = [ ];
       }
     ];
-    nix.distributedBuilds = true;
-    # optional, useful when the builder has a faster internet connection than yours
-    # nix.extraOptions = "  builders-use-substitutes = true\n";
   };
 }
diff --git a/systems/x86_64-linux/builder/default.nix b/systems/x86_64-linux/builder/default.nix
index 2c1fe7a..4974266 100644
--- a/systems/x86_64-linux/builder/default.nix
+++ b/systems/x86_64-linux/builder/default.nix
@@ -48,7 +48,6 @@
     ];
   };
 
-  nix.settings.trusted-users = [ "@wheel" ];
   nix.settings.experimental-features = [
     "nix-command"
     "flakes"
@@ -61,6 +60,10 @@
       "https://cache.nixos.org/"
     ];
     trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
+
+    trusted-users = [ "nix" ];
+    max-jobs = "auto";
+    cores = 0;
   };
 
   # optimize store by hardlinking store files
@@ -89,6 +92,15 @@
     # linuxPackages.amdgpu-pro
   ];
 
+  nix.nrBuildUsers = 64;
+
+  # prevent memory to get filled
+  systemd.services.nix-daemon.serviceConfig = {
+    MemoryAccounting = true;
+    MemoryMax = "90%";
+    OOMScoreAdjust = 500;
+  };
+
   # Ollama used by open-webui as llm backend
   services.ollama = {
     enable = true;
@@ -101,6 +113,10 @@
     host = "builder.julian-mutter.de";
   };
 
+  networking.firewall.allowedTCPPorts = [
+    80
+  ];
+
   services.openssh = {
     enable = true;
     # require public key authentication for better security
@@ -111,9 +127,90 @@
   users.users."root".openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
   ];
+  users.users."nix".openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
+  ];
 
   # security.pam.sshAgentAuth.enable = true; # enable sudo via ssh
 
+  services.hydra = {
+    enable = true;
+    hydraURL = "http://hydra.julian-mutter.de"; # externally visible URL
+    port = 3000;
+    notificationSender = "hydra@julian-mutter.de"; # e-mail of hydra service
+    # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
+    buildMachinesFiles = [ ];
+    # you will probably also want, otherwise *everything* will be built from scratch
+    useSubstitutes = true;
+
+    minimumDiskFree = 5; # in GB
+    minimumDiskFreeEvaluator = 2;
+
+  };
+
+  # add builder itself as build machine so system emulation is properly supported
+  nix.distributedBuilds = true;
+  nix.buildMachines = [
+    {
+      hostName = "localhost";
+      systems = [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
+      maxJobs = 4;
+      speedFactor = 3;
+      supportedFeatures = [
+        "nixos-test"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+      ];
+    }
+  ];
+
+  # Uris allowed as flake inputs, otherwise hydra does not fetch them
+  nix.settings.allowed-uris = [
+    "github:"
+    "gitlab:"
+    "git+https://github.com/hyprwm/Hyprland"
+    "https://github.com/hyprwm/Hyprland"
+    "https://github"
+    "https://gitlab"
+    "https://gitlab.julian-mutter.de"
+    "git+https://gitlab.julian-mutter.de"
+  ];
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    # recommendedTlsSettings = true;
+    # other Nginx options
+    virtualHosts."hydra.julian-mutter.de" = {
+      # enableACME = true;
+      # forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3000";
+        # proxyWebsockets = true; # needed if you need to use WebSocket
+        # extraConfig =
+        #   # required when the target is also TLS server with multiple hosts
+        #   "proxy_ssl_server_name on;" +
+        #   # required when the server wants to use HTTP Authentication
+        #   "proxy_pass_header Authorization;"
+        #   ;
+      };
+    };
+
+    virtualHosts."binarycache.julian-mutter.de" = {
+      locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+    };
+  };
+
+  # =========== Binary Cache ==========
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = "/var/cache-priv-key.pem";
+  };
+
   # ======================== DO NOT CHANGE THIS ========================
   system.stateVersion = "23.11";
   # ======================== DO NOT CHANGE THIS ========================