diff --git a/hosts/binarycache/configuration.nix b/hosts/binarycache/configuration.nix
index 28ce8d86..1034fd51 100644
--- a/hosts/binarycache/configuration.nix
+++ b/hosts/binarycache/configuration.nix
@@ -22,9 +22,14 @@
     ../../services/nginx/nginx.nix
     ../../users/jrautiola.nix
     ../../users/cazfi.nix
+    ../../users/hydra.nix
   ];
 
-  nix.settings.substituters = [];
+  nix.settings = {
+    # we don't want the cache to be a substitutor for itself
+    substituters = [];
+    trusted-users = ["hydra"];
+  };
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   services.openssh.enable = true;
@@ -40,6 +45,7 @@
     nameservers = ["1.1.1.1" "8.8.8.8"];
   };
 
+  # acme gets https certificates when we have dns
   # security.acme = {
   #   acceptTerms = true;
   #   defaults.email = "trash@unikie.com";
@@ -47,7 +53,8 @@
 
   services.nginx = {
     virtualHosts = {
-      "cache.vedenemo.dev" = {
+      # "cache.vedenemo.dev" = {
+      "_" = {
         # enableACME = true;
         # forceSSL = true;
         default = true;
diff --git a/tasks.py b/tasks.py
index c9b87fc0..16ca8d75 100644
--- a/tasks.py
+++ b/tasks.py
@@ -75,6 +75,7 @@ class TargetHost:
     {
         "build01-dev": TargetHost(hostname="51.12.57.124", nixosconfig="build01"),
         "ghafhydra-dev": TargetHost(hostname="51.12.56.79", nixosconfig="ghafhydra"),
+        "binarycache": TargetHost(hostname="172.18.20.109", nixosconfig="binarycache"),
     }
 )
 
diff --git a/users/hydra.nix b/users/hydra.nix
new file mode 100644
index 00000000..ba36b9c4
--- /dev/null
+++ b/users/hydra.nix
@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII)
+#
+# SPDX-License-Identifier: Apache-2.0
+{...}: {
+  users.users = {
+    hydra = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILbycq53k6oz1VvTC8I7wYt1c5t2YGYd41MJUeakte5t hydra@build4"
+      ];
+      extraGroups = [];
+    };
+  };
+}