diff --git a/hosts/franz/default.nix b/hosts/franz/default.nix
index 9d9a129..8c7302e 100644
--- a/hosts/franz/default.nix
+++ b/hosts/franz/default.nix
@@ -25,6 +25,7 @@ in {
     ./sops.nix
     ./restic.nix
     ./arion
+    ./hydra.nix
   ];
 
   # Enable ZFS
@@ -32,6 +33,7 @@ in {
   networking.hostId = "f014fc43";
 
   systemd.enableEmergencyMode = false;
+  networking.firewall.enable = true;
 
   # Prevent zfs from being automounted by fstab auto discovery & zfs
   fileSystems."/storage/dataset".options = ["noauto"];
diff --git a/hosts/franz/hydra.nix b/hosts/franz/hydra.nix
new file mode 100644
index 0000000..1e72c15
--- /dev/null
+++ b/hosts/franz/hydra.nix
@@ -0,0 +1,28 @@
+{config, ...}: {
+  services.hydra = {
+    enable = true;
+    hydraURL = "http://localhost:3000"; # externally visible URL
+    notificationSender = "hydra@localhost"; # e-mail of hydra service
+    # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
+    buildMachinesFiles = [];
+    # you will probably also want, otherwise *everything* will be built from scratch
+    useSubstitutes = true;
+  };
+  nix.settings.allowed-uris = [
+    "github:"
+    "git+https://github.com/"
+    "git+ssh://github.com/"
+    "git+https://git.ghoscht.com/"
+    "git+ssh://git.ghoscht.com/"
+    "https://git.ghoscht.com/"
+  ];
+  networking.firewall = {
+    allowedTCPPorts = [config.services.hydra.port];
+  };
+  # nix.gc = {
+  #   automatic = true;
+  #   dates = "15 3 * * *"; # [1]
+  # };
+  #
+  nix.autoOptimiseStore = true;
+}