diff --git a/modules/nixos/services/hydra/default.nix b/modules/nixos/services/hydra/default.nix
index 07b9926..2543900 100644
--- a/modules/nixos/services/hydra/default.nix
+++ b/modules/nixos/services/hydra/default.nix
@@ -10,6 +10,21 @@ with lib; let
 in {
   options.aa.services.hydra = with types; {
     enable = mkEnableOption "hydra";
+    hostname = mkOption {
+      type = str;
+      default = "hydra.kilonull.com";
+      description = ''
+        The hostname for the hydra instance
+      '';
+    };
+    acmeCertName = mkOption {
+      type = str;
+      default = "";
+      description = ''
+        If set to a non-empty string, forces SSL with the supplied acme
+        certificate.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
@@ -22,12 +37,27 @@ in {
 
     services.hydra = {
       enable = true;
-      hydraURL = "http://localhost:3000";
+      hydraURL = "https://${cfg.hostname}";
       notificationSender = "hydra@localhost";
       buildMachinesFiles = [];
       useSubstitutes = true;
     };
 
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      virtualHosts."hydra.kilonull.com" =
+        {
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
+          };
+        }
+        // lib.optionalAttrs (cfg.acmeCertName != "") {
+          forceSSL = true;
+          useACMEHost = cfg.acmeCertName;
+        };
+    };
+
     nix.settings = {
       allowed-users = [
         "hydra"
diff --git a/systems/x86_64-linux/gospel/default.nix b/systems/x86_64-linux/gospel/default.nix
index 7c51624..42042ef 100644
--- a/systems/x86_64-linux/gospel/default.nix
+++ b/systems/x86_64-linux/gospel/default.nix
@@ -55,6 +55,10 @@
     };
     services.prometheus.enable = true;
     services.promtail.enable = true;
+    services.hydra = {
+      enable = true;
+      acmeCertName = "kilonull.com";
+    };
 
     hardware.audio.enable = true;
     hardware.bluetooth.enable = true;