{ lib, ... }:
{
  imports = [ ./hardware.nix ];

  networking.hostName = "build-coord";
  networking.domain = "wob01.infra.forkos.org";

  bagel.sysadmin.enable = true;

  bagel.services = {
    hydra.enable = true;
    hydra.builders = map (i: "builder-${builtins.toString i}") [4 5 10];

    # Arguably, the build-coordinator is the most sensitive piece of our own infrastructure.
    # Henceforth, it can run as well another sensitive piece of the system: the Vault.
    vault = {
      enable = true;
      domain = "vault.forkos.org";
    };
  };

  bagel.monitoring.exporters.hydra.enable = true;

  # Hydra is proxied.
  bagel.raito.v6-proxy-awareness.enable = true;

  system.stateVersion = "24.05";
  deployment.targetHost = "build-coord.wob01.infra.forkos.org";
}