diff --git a/build/hydra-queue-runner.nix b/build/hydra-queue-runner.nix
new file mode 100644
index 00000000..61fe897e
--- /dev/null
+++ b/build/hydra-queue-runner.nix
@@ -0,0 +1,80 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+
+let
+  machines = [
+    "elated-minsky"
+    "goofy-hopcroft"
+    "hopeful-rivest"
+    "sleepy-brown"
+    "eager-heisenberg"
+    "enormous-catfish"
+    "growing-jennet"
+    "intense-heron"
+    "kind-lumiere"
+    "maximum-snail"
+    "sweeping-filly"
+  ];
+in
+{
+  imports = [
+    inputs.hydra-queue-runner.nixosModules.queue-runner
+  ];
+
+  age.secrets = lib.listToAttrs (
+    map (
+      machine:
+      lib.nameValuePair "${machine}-queue-runner-token" {
+        file = ./secrets/${machine}-queue-runner-token.age;
+      }
+    ) machines
+  );
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."queue-runner.hydra.nixos.org" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/".extraConfig = ''
+        # This is necessary so that grpc connections do not get closed early
+        # see https://stackoverflow.com/a/67805465
+        client_body_timeout 31536000s;
+        client_max_body_size 0;
+
+        grpc_pass grpc://${config.services.queue-runner-dev.grpc.address}:${toString config.services.queue-runner-dev.grpc.port};
+
+        grpc_read_timeout 31536000s; # 1 year in seconds
+        grpc_send_timeout 31536000s; # 1 year in seconds
+        grpc_socket_keepalive on;
+
+        grpc_set_header Host $host;
+        grpc_set_header X-Real-IP $remote_addr;
+        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        grpc_set_header X-Forwarded-Proto $scheme;
+      '';
+    };
+  };
+
+  services.queue-runner-dev = {
+    enable = true;
+    settings = {
+      dbUrl = "postgres://hydra@10.0.40.3:5432/hydra";
+      machineFreeFn = "DynamicWithMaxJobLimit";
+      stepSortFn = "WithRdeps";
+      # dispatchTriggerTimerInS?
+      queueTriggerTimerInS = 60;
+      concurrentUploadLimit = 48;
+      maxConcurrentDownloads = 48;
+      remoteStoreAddr = [
+        "s3://nix-cache?secret-key=/var/lib/hydra/queue-runner/keys/cache.nixos.org-1/secret&write-nar-listing=1&compression=zstd&compression-level=19&ls-compression=zstd&log-compression=zstd&index-debug-info=true"
+      ];
+      rootsDir = "/nix/var/nix/gcroots/hydra";
+      tokenListPath = map (machine: config.age.secrets."${machine}-queue-runner-token".path) machines;
+    };
+  };
+}
diff --git a/build/hydra.nix b/build/hydra.nix
index c7fcbbb6..b2c79bb7 100644
--- a/build/hydra.nix
+++ b/build/hydra.nix
@@ -104,6 +104,8 @@ in
     evaluator_workers = 16
     evaluator_max_memory_size = 8192
 
+    queue_runner_endpoint = http://${config.services.queue-runner-dev.rest.address}:${toString config.services.queue-runner-dev.rest.port}
+
     max_concurrent_evals = 1
 
     # increase the number of active compress slots (CPU is 48*2 on mimas)
diff --git a/build/mimas/default.nix b/build/mimas/default.nix
index 4694e7f5..dd6df4b7 100644
--- a/build/mimas/default.nix
+++ b/build/mimas/default.nix
@@ -3,6 +3,7 @@
     ../common.nix
     ../hydra.nix
     ../hydra-proxy.nix
+    ../hydra-queue-runner.nix
     ./boot.nix
     ./firewall.nix
     ./network.nix
diff --git a/build/secrets.nix b/build/secrets.nix
index db079967..c79a11b8 100644
--- a/build/secrets.nix
+++ b/build/secrets.nix
@@ -17,6 +17,54 @@ let
     rfc39-record-push = [ machines.pluto ];
     tarball-mirror-aws-credentials = [ machines.pluto ];
     zrepl-ssh-key = [ machines.titan ];
+
+    # builders/
+    elated-minsky-queue-runner-token = with machines; [
+      mimas
+      elated-minsky
+    ];
+    goofy-hopcroft-queue-runner-token = with machines; [
+      mimas
+      goofy-hopcroft
+    ];
+    hopeful-rivest-queue-runner-token = with machines; [
+      mimas
+      hopeful-rivest
+    ];
+    sleepy-brown-queue-runner-token = with machines; [
+      mimas
+      sleepy-brown
+    ];
+
+    # macs/
+    eager-heisenberg-queue-runner-token = with machines; [
+      mimas
+      eager-heisenberg
+    ];
+    enormous-catfish-queue-runner-token = with machines; [
+      mimas
+      enormous-catfish
+    ];
+    growing-jennet-queue-runner-token = with machines; [
+      mimas
+      growing-jennet
+    ];
+    intense-heron-queue-runner-token = with machines; [
+      mimas
+      intense-heron
+    ];
+    kind-lumiere-queue-runner-token = with machines; [
+      mimas
+      kind-lumiere
+    ];
+    maximum-snail-queue-runner-token = with machines; [
+      mimas
+      maximum-snail
+    ];
+    sweeping-filly-queue-runner-token = with machines; [
+      mimas
+      sweeping-filly
+    ];
   };
 in
 builtins.listToAttrs (
diff --git a/build/secrets/eager-heisenberg-queue-runner-token.age b/build/secrets/eager-heisenberg-queue-runner-token.age
new file mode 100644
index 00000000..92e6547b
--- /dev/null
+++ b/build/secrets/eager-heisenberg-queue-runner-token.age
@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKT5Kw d2hBbAiEI7iLoP1c7WgXkJXnqfsy3GWPy23NZcHrb3A
+dIEVrctp2Ryu92cSBILUE+qeeLz0raQ1nTLGAPaZec4
+-> ssh-ed25519 NJQh8Q nThSL+PZmkUrXssS5YXqS1x4InMJMJKBma7/UpZcb3E
+WIVRniPt17W/GkOySUO/tFk0wlecxIMMZtcgV4caG0M
+-> ssh-ed25519 Gr9EaQ MTnHof1JOu4d5vObVatnKyhi20Da0K0v5TSyxhk7gwI
+YXIYyvGWR2cf6GJb7VL4aiu0gxKLyK1PyGhgw2vLJz8
+-> ssh-ed25519 3ENwVg rIi+Y4H0U+wkaO4zmIEbDd2Bd7tQnesw4yW+klqqQBM
+vd1c2lP+A5cyk2bfUoO09oPo49SnGzlXf95FrxuxRlA
+-> ssh-rsa MuWD+w
+moxeHv57SfIBrPVMvLiWZhh1qJHIii5maadnQZl8JUqjSDFpnPX4hXNIvwrqBau7
+Xn2X3tncgQ2Vp33757YembRDSOU7X06QASaRitxFrbHJu4iRIYwcyWoHbYn6jhPc
+9yK39sMNliHgZXDq2c0+DThV/PpvZd8yuVlP2oI5FqjlITjiFnTnJf+3c+uquc6v
+mxEwWUnrA8dSJD7RzcshW7swHu3FeC+MValEuiIQJaDlMUa211DhTGgtpSebuFrg
+Nlx+ZqS2k8LO2qAFyCemoMRMwod7VsCqtid6PxdEuwd8O0v7wfVafu0z+LCGMZoy
+SxKlCaVvDQJSzkAcj7EHvA
+-> ssh-ed25519 92bXiA bH6FYqVLVNbMBleHCALYbv7nykoIHcvaWlIvQnbyNRg
+joPDIXaqdMccBWdXvsvV9/ZlOVbE6pmrOFQ+WgUno68
+-> ssh-ed25519 Y121Gw kWm5O/sfXSAYRFsFWgKgWR3dUSKo2OFN5I0npz2x+TI
+wfbOq5meojODlRi3RZ+uFNokSPYLZNndB9nhp31wMTo
+--- /EhbVaVRVAyPOjTpmhTcRSh3kuyT/KoEkedwitZpTNk
+T,­h›vÙ	`÷Ÿ·HA´eGŠç_Ï jû<ÍO©¬7ü{’ë‘Ë£
+‰Å4ŸÐhãÊH1ên	QˆÚÜQHŸuÓ[Yÿ×²NÑ)¿™UëeC"Ä7Q¿§1^vj]ò®Ááz^ìû³ûlí."uØ«+9„þQ”
\ No newline at end of file
diff --git a/build/secrets/elated-minsky-queue-runner-token.age b/build/secrets/elated-minsky-queue-runner-token.age
new file mode 100644
index 00000000..7529eb9c
Binary files /dev/null and b/build/secrets/elated-minsky-queue-runner-token.age differ
diff --git a/build/secrets/enormous-catfish-queue-runner-token.age b/build/secrets/enormous-catfish-queue-runner-token.age
new file mode 100644
index 00000000..e5c2608b
Binary files /dev/null and b/build/secrets/enormous-catfish-queue-runner-token.age differ
diff --git a/build/secrets/goofy-hopcroft-queue-runner-token.age b/build/secrets/goofy-hopcroft-queue-runner-token.age
new file mode 100644
index 00000000..a2a2b420
--- /dev/null
+++ b/build/secrets/goofy-hopcroft-queue-runner-token.age
@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKT5Kw hA/K9EJyGfAbGbokosZGVEJqasHjE2bgr2EpEN4O/iQ
+7GaeyhJHezMSytl+75UzkiLvbxMpWSKoYb7aEH/D1qU
+-> ssh-ed25519 h7xPTg oBM3m/s0x5ue87LfgCOpyTfs0R0N4dmKwa7oW/R+nCQ
+HTxdFwkGtkCficUjMSe1bE95fv5gwMEvIlaNPb+LJvM
+-> ssh-ed25519 Gr9EaQ GdbCzg5bOJlVsTebVEE+y6StuiH1kZRG07D/bt1zuww
+EZqucrVkaX6ZTGJT0aiHmp4o9Z3IUIk82Df1Z2YkU5s
+-> ssh-ed25519 3ENwVg Ky1YIXGrt+UX5y745wePV1pulUHrr1yXzFRd+MHEITc
+BmWr551rvrtWl2PxD/+qYodybA0xA6Z/1Noza0te+Vo
+-> ssh-rsa MuWD+w
+RjaIoseiPazdSz75+ly66RqY0IhyQPBtltWLgGEYzhTkmzpnQNcUVpwgiPSzbt5X
+y7o+o+QPaHeds5suS42ZzUPahhLp1v5ehVaMXvsmqxkOZfODLxF3GGoFj4SG/YjJ
+aDd+bagUql7HX0cZRp51LpnitzOxayd8qeUZg51mqFi8uWV1DBSYrFdcVHBNeGuQ
+AbdUl9tqFtYilqcBJhCJOsKsiUsrX2bC6ZP8A6Pmt3gl8UR8nJLhD5TwQH6FCxDO
+iKbY21BwiKH8CJhQTNix6uwmTOwlX9mp8N6UNmqWuXB/3F4NmpyubnUvG9t0QGVl
+EsS5dlQ04JG/WrWDQpOR/w
+-> ssh-ed25519 92bXiA 7EaMly7GPo9fPETY606UO9in6bhbkQhgRxsO2u5Bgws
+IzeyNKnkYt8lwTk1TRxLooJJJmPFxIYZJAoDHm1Oqtg
+-> ssh-ed25519 Y121Gw 3tlRc4oDBLx1/Dn/KwnyUzg/odwMGLaFDksNB5RTqCk
+TJhtG/2/0PL7k84hQyAFEvLAFyZYP1W8erUpCANG7Mw
+--- mKpJ626SlxFTL7kt2BJOna043kiReyoMA8hl604J2hc
+H²&ÅéµÛ=LÐ÷Gž›*t2I¦‡îÁÂ˜SÌ_›ñûX(ýk£ÒÛ(Í4NàYtœrJ^K0b&—?å¨#ÕœÂS=1æjÉ°ƒŒVQÞ¨Fx±óQÕF³H¡g´â4osÖ	Í‡ªlÆ~±tg;!ï€%O
\ No newline at end of file
diff --git a/build/secrets/growing-jennet-queue-runner-token.age b/build/secrets/growing-jennet-queue-runner-token.age
new file mode 100644
index 00000000..89ccb996
Binary files /dev/null and b/build/secrets/growing-jennet-queue-runner-token.age differ
diff --git a/build/secrets/hopeful-rivest-queue-runner-token.age b/build/secrets/hopeful-rivest-queue-runner-token.age
new file mode 100644
index 00000000..78c05957
--- /dev/null
+++ b/build/secrets/hopeful-rivest-queue-runner-token.age
@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKT5Kw jz7oaOXlftKuXEIeFcFXacn0gcDuQhGkZRLmf0QTPXQ
+Br67PR4rBrZaKbP/X8X4vFkPq8L5IiNicvfXBvuaVdw
+-> ssh-ed25519 BaUP3w 8o3MNSWRhtrCgaqdQsBfmmg3LCAD9khNCXNlTAgegzE
+c137Ep8omrJBRcnqbRMwVB87CyB66u07qj5Xjor8hSY
+-> ssh-ed25519 Gr9EaQ tEa19teKlX3ZXJBOmBnOLU9GwnkDlfSdUzxaAMsY+3Y
+gWS3dYhg6psO0WNCD+s0kjqzapOnU4hQgWrcKh0iDbk
+-> ssh-ed25519 3ENwVg LiSqdv8ukjIjACQwk6203kkNotG+oRgGTkqsITRNjiU
+jOnUs9E5Tcu9eEnR8WXW277LZ+tRNyqM4b3Hg8EGu/8
+-> ssh-rsa MuWD+w
+enx5oiARoCPhm1D/MIdgIh2kjZFx4rxszCmW0j7RaS0SXDPu79c1QENwgemQdvLY
+uwX6teB+LkkWdcA6AFqY2FclopBRZq15OQuMoztBjwGPUIlk8H8OHrusViDJuGNm
+zdWsL4htncmTUWaX31V1ZX/v+KFl2Zp5Mmpn8x4C21wm5d42SOd5VRnw/OlziJGX
+gUG2DqLpoKzXDG9SAsKfk417Akfb8RtlVza6/tb57hThi9EsORK+BnTsUt6r6H84
+NvTuqnOJJFOEWqeRz1UjLij/gI10LQvcxCzhXC/SqkG7FaMXQ92WAZ5hH7AePSEE
+I/OlAU2wPj+GmPFePPODSA
+-> ssh-ed25519 92bXiA nYLjnIjeF+TmJbVdCtdqK042xnYDpF4naM1u7up31SI
+yVhUbve1xiySx+dqRcWdJQOYB2TRGdALa0l4hu1UnbM
+-> ssh-ed25519 Y121Gw kxYp6X5VV1QRwo1HrTUCbdBHgKMjkI2AUnUnqGe3dCE
+Rl2LfKLy9BQi47ktXCm+T7G6sbkBsuYaoxt5oTH2uPI
+--- X3Fr2TVxWyEW1hm8h7eKwGJHJg3BjywJddTp5OLolF4
+0vO®—smóÌˆ IKÍú'}"ÎƒúªS¶*¼ß²|OÞçEü$õÑxÃ×W¾¦‹nå®ú;3ô˜”ƒtp%ôí­\XèG4lÓöBYÂë¨yœÿmìÃÇ® >†“´æ´k×ð+ŠªëÝ²±»ÎR¹om)³þ`
\ No newline at end of file
diff --git a/build/secrets/intense-heron-queue-runner-token.age b/build/secrets/intense-heron-queue-runner-token.age
new file mode 100644
index 00000000..d67fe54e
Binary files /dev/null and b/build/secrets/intense-heron-queue-runner-token.age differ
diff --git a/build/secrets/kind-lumiere-queue-runner-token.age b/build/secrets/kind-lumiere-queue-runner-token.age
new file mode 100644
index 00000000..1db82fff
--- /dev/null
+++ b/build/secrets/kind-lumiere-queue-runner-token.age
@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKT5Kw 8g2rqFnJ23pFpD4PniCDMPiueSroGH2yShkpHtPvZDc
+ZyYcqRHGP4H4ElRs3rNAOzJ7In3MnVT8/2NcLHga8Ho
+-> ssh-ed25519 jPdm4A k+8PUnPBFILqbb0Ikf2DMJEYVsLPwDtjYgQ6dVyNenc
+e1mhAEQhzVsnznBJRsMEp3gYOO00Gmf4BCvHsXpFELU
+-> ssh-ed25519 Gr9EaQ P0yT0M8e8ihKqossmqnIJc6074NXZ8KJmVL03BN7eV0
+GHWdPlIDCMFf7Pca4GXfRnhZ2NJAmM0doPsMThY+iVQ
+-> ssh-ed25519 3ENwVg UzvZZ0rFG3KaPQ6G6Oq4U/EQ3RRmPxyo6xF0tgadDDs
+vPUm8mpqVeiBGpxGUTnYACn7tOQDcuFP3E2gWLToyXY
+-> ssh-rsa MuWD+w
+qSOhRpEjjuMyt+nRRC8Yd1fInXTReZqLCp6GZoRnYbO69a1AIQwU1HU5CtAHbVFe
+8dIerlh4deN/T6wW3EvxM5hAA5co7kV68t3fgHGyQBdVGJvPuQRWaduSv21O/wbv
+epmGODM9YwFfnPMDHXqTzt+NYEJIJoUVpH1YTTfeZDyoRza2gJ5hoSPFXtomVHL4
+lO1+wcldYuELgY8bCeZpFP0kPmK7STYTa7LZxEF/yjqM2ZXhS6qOTV2+yRZhSKEy
+RizOnW0ePWrCSIVvxIr4+sGlKW5cwAqeatxiPZz7/3RFSxHBG9RC/ZZEmaZUF9Er
+cjILgCnk3lZJDnmpU6/+JA
+-> ssh-ed25519 92bXiA 4jz8lFxCSjJBJKWZTtxYruYiuQuJytQ8utDYZccQwFY
+zdLlneAU2P7zjDCC6tWVjySgJctB4Y5VXwEkvzqjhoU
+-> ssh-ed25519 Y121Gw Bhy7yX2r7RWBeS/K0bMVwXbvzYVAW88pzOHVtTKKIVQ
+Q9wuHdoI4SRXmjSA7iUUljjcO6dzPublR79rvPSlTlg
+--- 2DnKmT2R9XL5DR6z7+amRi5Y/8GphgkifpngTogcU/A
+âˆ½,n‡¦Ý”"¨Ö%¶bÐKDµ ÊƒW‘v¾ôºæ‚6ˆÜ#ÜK4(Jfí*|ÚùãßN¸(ªÌÍÉèÚçâ:Æg¨Yð}ZuR1.©œEÉtñÿPôkMÉ
+ë;k¬³è©œsæ»c†~ë|éÈ¶
\ No newline at end of file
diff --git a/build/secrets/maximum-snail-queue-runner-token.age b/build/secrets/maximum-snail-queue-runner-token.age
new file mode 100644
index 00000000..1f130edb
Binary files /dev/null and b/build/secrets/maximum-snail-queue-runner-token.age differ
diff --git a/build/secrets/sleepy-brown-queue-runner-token.age b/build/secrets/sleepy-brown-queue-runner-token.age
new file mode 100644
index 00000000..6d24aebb
--- /dev/null
+++ b/build/secrets/sleepy-brown-queue-runner-token.age
@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKT5Kw r8aZ+OCr9AE4h0zattrGpFPwBcnb28/Mj7vNC5EEHDE
+SaN75cMS6o0bcuIzeKF8siNu0P7rvJN4DLnL0R07t3M
+-> ssh-ed25519 le38mA 0syXJIHthuMy1Y6LbrfQX1QcADyJMOfmFbwzf3cQlHM
+X9HHBlfYBG64Awu+TZaA463Om18A7kSu7pMYwIDkehk
+-> ssh-ed25519 Gr9EaQ Wqex4/CIJTL+sm5GAlb0Du8mIjDz3QmvO7veYAQ+nmo
+o//67CmR5wPgSzLuF4exx4mW+FstyQunBqeDgs9HUk8
+-> ssh-ed25519 3ENwVg 5XF6k6rMk59p53Hw6nSak8iajZ7XzLJ5jOQ7aPwkdng
++YUOjq/VopumkLhVshF4GdzkjqO1aNMrfkx3TZaPtaA
+-> ssh-rsa MuWD+w
+gsSEjSCIFzKTsOXvJay3Ij9OpefMoAGL7AjXW1mQ4TvCVWO5M7gqYLrlgANKwMGK
+sm9tpNtncFn7hC7G3YWBOU/InMIQ/qlgL5jhRBhZpou/DKMtDA+IDVZJYvSQMcT1
+9467zxSpFtnjrmzW/6cnX3jjLlTRCc4AupoS1pMIeJ2gwZBNiCklS+QGPQTQiG/O
+oF1nA0h/08pCbrLHIwilhFmekDzg99EesiZ3Hbqc7+kz8kbaIV9iUqFsRvV1Dwzm
+K6wIQXf5nhcCkt/SAFSS/ZwwHOr19B0OR3t6L4dYMa+bl/LxW0yXYzvMo4rp07Mn
+oXFd+BuBEwzHI1x8wrTmUQ
+-> ssh-ed25519 92bXiA +t2D5pUYWeTRPTT7vrNYZirRUWKQO0gw5RB3o+CV0yk
+b5DsQ3FUMO14U7NB7H4G9ngpw5gfPTrYXIKa7yy5Wq4
+-> ssh-ed25519 Y121Gw X0D49VhFJ2kZqJATUmuKhJfQ6TIAZCkWDl2u6dqnQSk
+O0JtjZWXrS/NY/FXYB14kM3MpuoAaTd2Bf1oWw7REc4
+--- a+IPhlc1ru44iR5eHXGVe0X2fqgcSj03Lk1lyB3sZZg
+ˆ¿*‡]HHX![‡(+Fñ;8ûši¨O¦çÔU‘’Å&J'67˜þ=›I²aý1ÆÐSž6
+.ËÁep!4Â‚´d²ÉîuLú*‰ýßÇDWG˜<ëbG~`Þ£ÙÚ­ËƒD£€]¹c§¯¡å¥m’|#\Ymôä;
\ No newline at end of file
diff --git a/build/secrets/sweeping-filly-queue-runner-token.age b/build/secrets/sweeping-filly-queue-runner-token.age
new file mode 100644
index 00000000..6cc5390f
Binary files /dev/null and b/build/secrets/sweeping-filly-queue-runner-token.age differ
diff --git a/builders/common/hydra-queue-builder.nix b/builders/common/hydra-queue-builder.nix
new file mode 100644
index 00000000..c19e0ca8
--- /dev/null
+++ b/builders/common/hydra-queue-builder.nix
@@ -0,0 +1,22 @@
+{
+  config,
+  inputs,
+  ...
+}:
+
+{
+  imports = [
+    inputs.hydra-queue-runner.nixosModules.queue-builder
+  ];
+
+  age.secrets."queue-runner-token" = {
+    file = ../../build/secrets/${config.networking.hostName}-queue-runner-token.age;
+  };
+
+  services.queue-builder-dev = {
+    enable = true;
+    queueRunnerAddr = "https://queue-runner.hydra.nixos.org";
+    authorizationFile = config.age.secrets."queue-runner-token".path;
+    maxJobs = config.nix.settings.max-jobs;
+  };
+}
diff --git a/builders/flake-module.nix b/builders/flake-module.nix
index 4ac758bb..33387f6d 100644
--- a/builders/flake-module.nix
+++ b/builders/flake-module.nix
@@ -7,13 +7,17 @@
         inputs.nixpkgs.lib.nixosSystem {
           inherit system;
 
+          specialArgs = { inherit inputs; };
+
           modules = [
+            inputs.agenix.nixosModules.age
             inputs.disko.nixosModules.disko
 
             ./common/hardening.nix
             ./common/network.nix
             ./common/nix.nix
             ./common/node-exporter.nix
+            ./common/hydra-queue-builder.nix
             ./common/system.nix
             ./common/tools.nix
             ./common/update.nix
@@ -37,4 +41,14 @@
       # Ampere Q80-30 (80C), 128 GB DDR4 RAM, 2x960GB PCIe4 NVME
       hopeful-rivest = mkNixOS "aarch64-linux" ./instances/hopeful-rivest.nix;
     };
+
+  perSystem =
+    { pkgs, inputs', ... }:
+    {
+      devShells.builders = pkgs.mkShell {
+        buildInputs = [
+          inputs'.agenix.packages.agenix
+        ];
+      };
+    };
 }
diff --git a/dns/nixos.org.js b/dns/nixos.org.js
index 58fe3f7f..7590af75 100644
--- a/dns/nixos.org.js
+++ b/dns/nixos.org.js
@@ -72,6 +72,7 @@ D("nixos.org",
 	A("mimas", "157.90.104.34"),
 	AAAA("mimas", "2a01:4f8:2220:11c8::1"),
 	CNAME("hydra", "mimas"),
+	CNAME("queue-runner.hydra", "mimas"),
 
 	A("pluto", "37.27.99.100"),
 	AAAA("pluto", "2a01:4f9:3070:15e0::1"),
diff --git a/flake.lock b/flake.lock
index 8495ed7f..f76e3be5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -98,13 +98,13 @@
       "locked": {
         "lastModified": 1765066094,
         "narHash": "sha256-0YSU35gfRFJzx/lTGgOt6ubP8K6LeW0vaywzNNqxkl4=",
-        "owner": "LnL7",
+        "owner": "nix-darwin",
         "repo": "nix-darwin",
         "rev": "688427b1aab9afb478ca07989dc754fa543e03d5",
         "type": "github"
       },
       "original": {
-        "owner": "LnL7",
+        "owner": "nix-darwin",
         "ref": "nix-darwin-25.11",
         "repo": "nix-darwin",
         "type": "github"
@@ -315,6 +315,36 @@
         "type": "github"
       }
     },
+    "hydra-queue-runner": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-unstable": [
+          "nixpkgs-unstable"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1766449587,
+        "narHash": "sha256-dDjBEDi9VP0ThFcMmoRYQ/JWw+h3myxhWotfu3TpYhk=",
+        "owner": "mweinelt",
+        "repo": "hydra-queue-runner",
+        "rev": "70948823e5d16a792361c6f05e395e1c3143a75e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mweinelt",
+        "ref": "flake-modules-fix",
+        "repo": "hydra-queue-runner",
+        "type": "github"
+      }
+    },
     "nft-prefix-import": {
       "inputs": {
         "nixpkgs": [
@@ -492,6 +522,7 @@
         "flake-utils": "flake-utils",
         "freescout": "freescout",
         "hydra": "hydra",
+        "hydra-queue-runner": "hydra-queue-runner",
         "nft-prefix-import": "nft-prefix-import",
         "nixos-channel-scripts": "nixos-channel-scripts",
         "nixpkgs": "nixpkgs",
diff --git a/flake.nix b/flake.nix
index dd72d3c3..2d6062f8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,6 +17,14 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    hydra-queue-runner = {
+      url = "github:mweinelt/hydra-queue-runner/flake-modules-fix";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs-unstable.follows = "nixpkgs-unstable";
+      inputs.treefmt-nix.follows = "treefmt-nix";
+    };
+
     nixos-channel-scripts = {
       url = "github:NixOS/nixos-channel-scripts";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -36,7 +44,7 @@
     };
 
     darwin = {
-      url = "github:LnL7/nix-darwin/nix-darwin-25.11";
+      url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
diff --git a/macs/common.nix b/macs/common.nix
index 335f4a9c..fa3b1ccd 100644
--- a/macs/common.nix
+++ b/macs/common.nix
@@ -20,6 +20,10 @@ let
 in
 
 {
+  imports = [
+    ./hydra-queue-builder.nix
+  ];
+
   environment.darwinConfig = "/nix/home/darwin-config/macs/nix-darwin.nix";
   environment.systemPackages = [
     config.nix.package
diff --git a/macs/flake-module.nix b/macs/flake-module.nix
index f4187ca5..f993cd7b 100644
--- a/macs/flake-module.nix
+++ b/macs/flake-module.nix
@@ -7,6 +7,10 @@
         inputs.darwin.lib.darwinSystem {
           system = "aarch64-darwin";
 
+          specialArgs = {
+            inherit inputs;
+          };
+
           modules = [
             {
               networking = { inherit localHostName; };
diff --git a/macs/hydra-queue-builder.nix b/macs/hydra-queue-builder.nix
new file mode 100644
index 00000000..1fc02818
--- /dev/null
+++ b/macs/hydra-queue-builder.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+
+{
+  imports = [
+    inputs.agenix.darwinModules.age
+    inputs.hydra-queue-runner.darwinModules.queue-builder
+  ];
+
+  age.secrets."queue-runner-token" = {
+    file = ../build/secrets/${config.networking.localHostName}-queue-runner-token.age;
+  };
+
+  services.queue-builder-dev = {
+    enable = true;
+    queueRunnerAddr = "https://queue-runner.hydra.nixos.org";
+    authorizationFile = config.age.secrets."queue-runner-token".path;
+    maxJobs = if lib.elem "big-parallel" (config.nix.settings.system-features or [ ]) then 2 else 4;
+  };
+}
diff --git a/macs/profiles/m2.large.nix b/macs/profiles/m2.large.nix
index fe87e7a8..13b7bffb 100644
--- a/macs/profiles/m2.large.nix
+++ b/macs/profiles/m2.large.nix
@@ -4,5 +4,6 @@
   nix.settings = {
     cores = 4;
     max-jobs = 2;
+    system-features = [ "big-parallel" ];
   };
 }
diff --git a/non-critical-infra/hosts/staging-hydra/default.nix b/non-critical-infra/hosts/staging-hydra/default.nix
index 1a809c1b..06c77041 100644
--- a/non-critical-infra/hosts/staging-hydra/default.nix
+++ b/non-critical-infra/hosts/staging-hydra/default.nix
@@ -5,11 +5,8 @@
     inputs.srvos.nixosModules.server
     inputs.srvos.nixosModules.hardware-hetzner-cloud-arm
     ../../modules/common.nix
-    ../../modules/hydra-queue-runner-v2.nix
-    ../../modules/hydra-queue-builder-v2.nix
     ./hydra-proxy.nix
     ./hydra.nix
-    inputs.hydra.nixosModules.hydra
   ];
 
   nixpkgs.overlays = [
diff --git a/non-critical-infra/hosts/staging-hydra/hydra.nix b/non-critical-infra/hosts/staging-hydra/hydra.nix
index 40b30626..fbc7c476 100644
--- a/non-critical-infra/hosts/staging-hydra/hydra.nix
+++ b/non-critical-infra/hosts/staging-hydra/hydra.nix
@@ -2,6 +2,7 @@
   lib,
   pkgs,
   config,
+  inputs,
   ...
 }:
 let
@@ -12,6 +13,11 @@ let
   ];
 in
 {
+  imports = [
+    inputs.hydra.nixosModules.hydra
+    inputs.hydra-queue-runner.nixosModules.queue-runner
+  ];
+
   networking.firewall.allowedTCPPorts = [
     9198 # queue-runnner metrics
     9199 # hydra-notify metrics
@@ -118,7 +124,7 @@ in
       '';
     };
 
-    hydra-queue-runner-v2 = {
+    queue-runner-dev = {
       enable = true;
       settings = {
         queueTriggerTimerInS = 300;
diff --git a/non-critical-infra/modules/hydra-queue-builder-v2.nix b/non-critical-infra/modules/hydra-queue-builder-v2.nix
deleted file mode 100644
index 58b89c5d..00000000
--- a/non-critical-infra/modules/hydra-queue-builder-v2.nix
+++ /dev/null
@@ -1,285 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.services.hydra-queue-builder-v2;
-in
-{
-  options = {
-    services.hydra-queue-builder-v2 = {
-      enable = lib.mkEnableOption "QueueBuilder";
-
-      queueRunnerAddr = lib.mkOption {
-        description = "Queue Runner address to the grpc server";
-        type = lib.types.singleLineStr;
-      };
-
-      pingInterval = lib.mkOption {
-        description = "Interval in which pings are send to the runner";
-        type = lib.types.ints.positive;
-        default = 10;
-      };
-
-      speedFactor = lib.mkOption {
-        description = "Additional Speed factor for this machine";
-        type = lib.types.oneOf [
-          lib.types.ints.positive
-          lib.types.float
-        ];
-        default = 1;
-      };
-
-      maxJobs = lib.mkOption {
-        description = "Maximum allowed of jobs. This only is used if the queue runner uses this metrics for determining free machines.";
-        type = lib.types.ints.positive;
-        default = 4;
-      };
-
-      tmpAvailThreshold = lib.mkOption {
-        description = "Threshold in percent free for /tmp before jobs are no longer scheduled on the machine";
-        type = lib.types.float;
-        default = 10.0;
-      };
-
-      storeAvailThreshold = lib.mkOption {
-        description = "Threshold in percent free for /nix/store before jobs are no longer scheduled on the machine";
-        type = lib.types.float;
-        default = 10.0;
-      };
-
-      load1Threshold = lib.mkOption {
-        description = "Maximum Load1 threshold before we stop scheduling jobs on that node. Only used if PSI is not available.";
-        type = lib.types.float;
-        default = 8.0;
-      };
-
-      cpuPsiThreshold = lib.mkOption {
-        description = "Maximum CPU PSI in the last 10s before we stop scheduling jobs on that node";
-        type = lib.types.float;
-        default = 75.0;
-      };
-
-      memPsiThreshold = lib.mkOption {
-        description = "Maximum Memory PSI in the last 10s before we stop scheduling jobs on that node";
-        type = lib.types.float;
-        default = 80.0;
-      };
-
-      ioPsiThreshold = lib.mkOption {
-        description = "Maximum IO PSI in the last 10s before we stop scheduling jobs on that node. If null then this pressure check is disabled.";
-        type = lib.types.nullOr lib.types.float;
-        default = null;
-      };
-
-      systems = lib.mkOption {
-        description = "List of supported systems. If none are passed, system and extra-platforms are read from nix.";
-        type = lib.types.listOf lib.types.singleLineStr;
-        default = [ ];
-      };
-
-      supportedFeatures = lib.mkOption {
-        description = "Pass supported features to the builder. If none are passed, system features will be used.";
-        type = lib.types.listOf lib.types.singleLineStr;
-        default = [ ];
-      };
-
-      mandatoryFeatures = lib.mkOption {
-        description = "Pass mandatory features to the builder.";
-        type = lib.types.listOf lib.types.singleLineStr;
-        default = [ ];
-      };
-
-      useSubstitutes = lib.mkOption {
-        description = "Use substitution for paths";
-        type = lib.types.bool;
-        default = true;
-      };
-
-      authorizationFile = lib.mkOption {
-        description = "Path to token authorization file if token auth should be used.";
-        type = lib.types.nullOr lib.types.path;
-        default = null;
-      };
-
-      mtls = lib.mkOption {
-        description = "mtls options";
-        default = null;
-        type = lib.types.nullOr (
-          lib.types.submodule {
-            options = {
-              serverRootCaCertPath = lib.mkOption {
-                description = "Server root ca certificate path";
-                type = lib.types.path;
-              };
-              clientCertPath = lib.mkOption {
-                description = "Client certificate path";
-                type = lib.types.path;
-              };
-              clientKeyPath = lib.mkOption {
-                description = "Client key path";
-                type = lib.types.path;
-              };
-              domainName = lib.mkOption {
-                description = "Domain name for mtls";
-                type = lib.types.singleLineStr;
-              };
-            };
-          }
-        );
-      };
-
-      package = lib.mkOption {
-        type = lib.types.package;
-        default = (lib.recurseIntoAttrs (pkgs.callPackage ../packages/hydra-queue-runner { })).builder;
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.hydra-queue-builder-v2 = {
-      description = "hydra-queue-builder-v2 main service";
-
-      requires = [ "nix-daemon.socket" ];
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-
-      environment = {
-        NIX_REMOTE = "daemon";
-        LIBEV_FLAGS = "4"; # go ahead and mandate epoll(2)
-        RUST_BACKTRACE = "1";
-
-        # Note: it's important to set this for nix-store, because it wants to use
-        # $HOME in order to use a temporary cache dir. bizarre failures will occur
-        # otherwise
-        HOME = "/run/hydra-queue-builder-v2";
-      };
-
-      serviceConfig = {
-        Type = "notify";
-        Restart = "always";
-        RestartSec = "5s";
-
-        ExecStart = lib.escapeShellArgs (
-          [
-            (lib.getExe cfg.package)
-            "--gateway-endpoint"
-            cfg.queueRunnerAddr
-            "--ping-interval"
-            cfg.pingInterval
-            "--speed-factor"
-            cfg.speedFactor
-            "--max-jobs"
-            cfg.maxJobs
-            "--tmp-avail-threshold"
-            cfg.tmpAvailThreshold
-            "--store-avail-threshold"
-            cfg.storeAvailThreshold
-            "--load1-threshold"
-            cfg.load1Threshold
-            "--cpu-psi-threshold"
-            cfg.cpuPsiThreshold
-            "--mem-psi-threshold"
-            cfg.memPsiThreshold
-          ]
-          ++ lib.optionals (cfg.ioPsiThreshold != null) [
-            "--io-psi-threshold"
-            cfg.ioPsiThreshold
-          ]
-          ++ (builtins.concatMap (v: [
-            "--systems"
-            v
-          ]) cfg.systems)
-          ++ (builtins.concatMap (v: [
-            "--supported-features"
-            v
-          ]) cfg.supportedFeatures)
-          ++ (builtins.concatMap (v: [
-            "--mandatory-features"
-            v
-          ]) cfg.mandatoryFeatures)
-          ++ lib.optionals (cfg.useSubstitutes != null) [
-            "--use-substitutes"
-          ]
-          ++ lib.optionals (cfg.authorizationFile != null) [
-            "--authorization-file"
-            cfg.authorizationFile
-          ]
-          ++ lib.optionals (cfg.mtls != null) [
-            "--server-root-ca-cert-path"
-            cfg.mtls.serverRootCaCertPath
-            "--client-cert-path"
-            cfg.mtls.clientCertPath
-            "--client-key-path"
-            cfg.mtls.clientKeyPath
-            "--domain-name"
-            cfg.mtls.domainName
-          ]
-        );
-
-        User = "hydra-queue-builder";
-        Group = "hydra";
-
-        ReadWritePaths = [
-          "/nix/var/nix/gcroots/"
-          "/nix/var/nix/daemon-socket/socket"
-        ];
-        ReadOnlyPaths = [ "/nix/" ];
-        RuntimeDirectory = "hydra-queue-builder-v2";
-
-        PrivateNetwork = false;
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged"
-          "~@resources"
-        ];
-
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        PrivateTmp = true;
-        PrivateDevices = true;
-        ProtectKernelTunables = true;
-        ProtectControlGroups = true;
-        RestrictSUIDSGID = true;
-        PrivateMounts = true;
-        RemoveIPC = true;
-        UMask = "0077";
-
-        CapabilityBoundingSet = "";
-        NoNewPrivileges = true;
-
-        ProtectKernelModules = true;
-        SystemCallArchitectures = "native";
-        ProtectKernelLogs = true;
-        ProtectClock = true;
-
-        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
-
-        LockPersonality = true;
-        ProtectHostname = true;
-        RestrictRealtime = true;
-        MemoryDenyWriteExecute = true;
-        PrivateUsers = true;
-        RestrictNamespaces = true;
-      };
-    };
-    systemd.tmpfiles.rules = [
-      "d /nix/var/nix/gcroots/per-user/hydra-queue-builder 0755 hydra-queue-builder hydra -"
-    ];
-    nix.settings = {
-      allowed-users = [ "hydra-queue-builder" ];
-      experimental-features = [ "nix-command" ];
-      trusted-users = [ "hydra-queue-builder" ];
-    };
-
-    users = {
-      groups.hydra = { };
-      users.hydra-queue-builder = {
-        group = "hydra";
-        isSystemUser = true;
-      };
-    };
-  };
-}
diff --git a/non-critical-infra/modules/hydra-queue-runner-v2.nix b/non-critical-infra/modules/hydra-queue-runner-v2.nix
deleted file mode 100644
index de68c3d0..00000000
--- a/non-critical-infra/modules/hydra-queue-runner-v2.nix
+++ /dev/null
@@ -1,318 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.services.hydra-queue-runner-v2;
-
-  format = pkgs.formats.toml { };
-in
-{
-  options = {
-    services.hydra-queue-runner-v2 = {
-      enable = lib.mkEnableOption "QueueRunner";
-
-      settings = lib.mkOption {
-        description = "Reloadable settings for queue runner";
-        type = lib.types.submodule {
-          options = {
-            hydraDataDir = lib.mkOption {
-              description = "Hydra data directory";
-              type = lib.types.path;
-              default = "/var/lib/hydra";
-            };
-            dbUrl = lib.mkOption {
-              description = "Postgresql database url";
-              type = lib.types.singleLineStr;
-              default = "postgres://hydra@%2Frun%2Fpostgresql:5432/hydra";
-            };
-            maxDbConnections = lib.mkOption {
-              description = "Postgresql maximum db connections";
-              type = lib.types.ints.positive;
-              default = 128;
-            };
-            machineSortFn = lib.mkOption {
-              description = "Function name for sorting machines";
-              type = lib.types.enum [
-                "SpeedFactorOnly"
-                "CpuCoreCountWithSpeedFactor"
-                "BogomipsWithSpeedFactor"
-              ];
-              default = "SpeedFactorOnly";
-            };
-            machineFreeFn = lib.mkOption {
-              description = "Function name for determining \"idle\" machines";
-              type = lib.types.enum [
-                "Dynamic"
-                "DynamicWithMaxJobLimit"
-                "Static"
-              ];
-              default = "Static";
-            };
-            dispatchTriggerTimerInS = lib.mkOption {
-              description = "Timer for triggering dispatch in an interval in seconds. Setting this to a value <= 0 will disable this timer and only trigger the dispatcher if queue changes happend.";
-              type = lib.types.int;
-              default = 120;
-            };
-            queueTriggerTimerInS = lib.mkOption {
-              description = "Timer for triggering queue in an interval in seconds. Setting this to a value <= 0 will disable this timer and only trigger via pg notifications.";
-              type = lib.types.int;
-              default = -1;
-            };
-            remoteStoreAddr = lib.mkOption {
-              description = "Remote store address";
-              type = lib.types.listOf lib.types.singleLineStr;
-              default = [ ];
-            };
-            useSubstitutes = lib.mkOption {
-              description = "Use substitution for paths";
-              type = lib.types.bool;
-              default = false;
-            };
-            rootsDir = lib.mkOption {
-              description = "Gcroots directory, defaults to /nix/var/nix/gcroots/per-user/$LOGNAME/hydra-roots";
-              type = lib.types.nullOr lib.types.path;
-              default = null;
-            };
-            maxRetries = lib.mkOption {
-              description = "Number of maximum amount of retries for a build step.";
-              type = lib.types.ints.positive;
-              default = 5;
-            };
-            retryInterval = lib.mkOption {
-              description = "Interval in which retires should be able to be attempted again.";
-              type = lib.types.ints.positive;
-              default = 60;
-            };
-            retryBackoff = lib.mkOption {
-              description = "Additional backoff on top of the retry interval.";
-              type = lib.types.float;
-              default = 3.0;
-            };
-            maxUnsupportedTimeInS = lib.mkOption {
-              description = "Time until unsupported steps are aborted.";
-              type = lib.types.ints.unsigned;
-              default = 120;
-            };
-            stopQueueRunAfterInS = lib.mkOption {
-              description = "Seconds after which the queue run should be interupted early. Setting this to a value <= 0 will disable this feature and the queue run will never exit early.";
-              type = lib.types.int;
-              default = 60;
-            };
-            maxConcurrentDownloads = lib.mkOption {
-              description = "Max count of concurrent downloads per build. Increasing this will increase memory usage of the queue runner.";
-              type = lib.types.ints.positive;
-              default = 5;
-            };
-            concurrentUploadLimit = lib.mkOption {
-              description = "Concurrent limit for uploading to s3.";
-              type = lib.types.ints.positive;
-              default = 5;
-            };
-            tokenListPath = lib.mkOption {
-              description = "Path to a list of allowed authentication tokens.";
-              type = lib.types.nullOr lib.types.path;
-              default = null;
-            };
-          };
-        };
-        default = { };
-      };
-
-      grpc = lib.mkOption {
-        description = "grpc options";
-        default = { };
-        type = lib.types.submodule {
-          options = {
-            address = lib.mkOption {
-              type = lib.types.singleLineStr;
-              default = "[::1]";
-              description = "The IP address the grpc listener should bound to";
-            };
-
-            port = lib.mkOption {
-              description = "Which grpc port this app should listen on";
-              type = lib.types.port;
-              default = 50051;
-            };
-          };
-        };
-      };
-
-      rest = lib.mkOption {
-        description = "rest options";
-        default = { };
-        type = lib.types.submodule {
-          options = {
-            address = lib.mkOption {
-              type = lib.types.singleLineStr;
-              default = "[::1]";
-              description = "The IP address the rest listener should bound to";
-            };
-
-            port = lib.mkOption {
-              description = "Which rest port this app should listen on";
-              type = lib.types.port;
-              default = 8080;
-            };
-          };
-        };
-      };
-
-      mtls = lib.mkOption {
-        description = "mtls options";
-        default = null;
-        type = lib.types.nullOr (
-          lib.types.submodule {
-            options = {
-              serverCertPath = lib.mkOption {
-                description = "Server certificate path";
-                type = lib.types.path;
-              };
-              serverKeyPath = lib.mkOption {
-                description = "Server key path";
-                type = lib.types.path;
-              };
-              clientCaCertPath = lib.mkOption {
-                description = "Client ca certificate path";
-                type = lib.types.path;
-              };
-            };
-          }
-        );
-      };
-      package = lib.mkOption {
-        type = lib.types.package;
-        default = (lib.recurseIntoAttrs (pkgs.callPackage ../packages/hydra-queue-runner { })).runner;
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.hydra-queue-runner-v2 = {
-      description = "hydra queue-runner-v2 main service";
-
-      requires = [ "nix-daemon.socket" ];
-      after = [
-        "network.target"
-        "postgresql.service"
-      ];
-      wantedBy = [ "multi-user.target" ];
-      reloadTriggers = [ config.environment.etc."hydra/queue-runner.toml".source ];
-
-      environment = {
-        NIX_REMOTE = "daemon";
-        LIBEV_FLAGS = "4"; # go ahead and mandate epoll(2)
-        RUST_BACKTRACE = "1";
-
-        # Note: it's important to set this for nix-store, because it wants to use
-        # $HOME in order to use a temporary cache dir. bizarre failures will occur
-        # otherwise
-        HOME = "/var/lib/hydra/queue-runner";
-      };
-
-      restartIfChanged = false;
-      serviceConfig = {
-        Type = "notify";
-        Restart = "always";
-        RestartSec = "5s";
-
-        ExecStart = lib.escapeShellArgs (
-          [
-            (lib.getExe cfg.package)
-            "--rest-bind"
-            "${cfg.rest.address}:${toString cfg.rest.port}"
-            "--grpc-bind"
-            "${cfg.grpc.address}:${toString cfg.grpc.port}"
-            "--config-path"
-            "/etc/hydra/queue-runner.toml"
-          ]
-          ++ lib.optionals (cfg.mtls != null) [
-            "--server-cert-path"
-            cfg.mtls.serverCertPath
-            "--server-key-path"
-            cfg.mtls.serverKeyPath
-            "--client-ca-cert-path"
-            cfg.mtls.clientCaCertPath
-          ]
-        );
-        ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
-
-        User = "hydra-queue-runner";
-        Group = "hydra";
-
-        StateDirectory = [ "hydra/queue-runner" ];
-        StateDirectoryMode = "0700";
-        ReadWritePaths = [
-          "/nix/var/nix/gcroots/"
-          "/run/postgresql/.s.PGSQL.${toString config.services.postgresql.settings.port}"
-          "/nix/var/nix/daemon-socket/socket"
-          "/var/lib/hydra/build-logs/"
-        ];
-        ReadOnlyPaths = [ "/nix/" ];
-        WorkingDirectory = "/var/lib/hydra/queue-runner";
-
-        PrivateNetwork = false;
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged"
-          "~@resources"
-        ];
-        ManagedOOMPreference = "avoid";
-        LimitNOFILE = 65536;
-
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        PrivateTmp = true;
-        PrivateDevices = true;
-        ProtectKernelTunables = true;
-        ProtectControlGroups = true;
-        RestrictSUIDSGID = true;
-        PrivateMounts = true;
-        RemoveIPC = true;
-        UMask = "0022";
-
-        CapabilityBoundingSet = "";
-        NoNewPrivileges = true;
-
-        ProtectKernelModules = true;
-        SystemCallArchitectures = "native";
-        ProtectKernelLogs = true;
-        ProtectClock = true;
-
-        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
-
-        LockPersonality = true;
-        ProtectHostname = true;
-        RestrictRealtime = true;
-        MemoryDenyWriteExecute = true;
-        PrivateUsers = true;
-        RestrictNamespaces = true;
-      };
-    };
-
-    environment.etc."hydra/queue-runner.toml".source = format.generate "queue-runner.toml" (
-      lib.filterAttrsRecursive (_: v: v != null) cfg.settings
-    );
-    systemd.tmpfiles.rules = [
-      "d /nix/var/nix/gcroots/per-user/hydra-queue-runner 0755 hydra-queue-runner hydra -"
-      "d /var/lib/hydra/build-logs/ 0755 hydra-queue-runner hydra -"
-    ];
-
-    nix.settings = {
-      allowed-users = [ "hydra-queue-runner" ];
-      experimental-features = [ "nix-command" ];
-      trusted-users = [ "hydra-queue-runner" ];
-    };
-
-    users = {
-      groups.hydra = { };
-      users.hydra-queue-runner = {
-        group = "hydra";
-        isSystemUser = true;
-      };
-    };
-  };
-}
diff --git a/non-critical-infra/packages/hydra-queue-runner/default.nix b/non-critical-infra/packages/hydra-queue-runner/default.nix
deleted file mode 100644
index e83ab5fe..00000000
--- a/non-critical-infra/packages/hydra-queue-runner/default.nix
+++ /dev/null
@@ -1,102 +0,0 @@
-{
-  rustPackages_1_91,
-  fetchFromGitHub,
-  pkg-config,
-  openssl,
-  zlib,
-  protobuf,
-  lib,
-  makeWrapper,
-  nixVersions,
-  nlohmann_json,
-  libsodium,
-  boost,
-  withOtel ? false,
-}:
-let
-  version = "unstable-2025-11-27";
-  src = fetchFromGitHub {
-    owner = "helsinki-systems";
-    repo = "hydra-queue-runner";
-    rev = "8266ce9818393ee9d0fe3ffd7bcde3eb09c2221f";
-    hash = "sha256-tC4s+opt4BpN0qFx96AXhtUEJj8T7J5C68Hjj2OEetM=";
-  };
-  cargoHash = "sha256-49p2mC0DmsdgWdj4mWZf7SZj4Gd9eQFqTGRDzvMYSQM=";
-  nativeBuildInputs = [
-    pkg-config
-    protobuf
-    makeWrapper
-  ];
-  buildInputs = [
-    openssl
-    zlib
-    protobuf
-
-    nixVersions.nix_2_32
-    nlohmann_json
-    libsodium
-    boost
-  ];
-  meta = {
-    description = "Hydra Queue-Runner implemented in rust";
-    homepage = "https://github.com/helsinki-systems/hydra-queue-runner";
-    license = [ lib.licenses.gpl3 ];
-    maintainers = [ lib.maintainers.conni2461 ];
-    platforms = lib.platforms.all;
-  };
-in
-{
-  runner = rustPackages_1_91.rustPlatform.buildRustPackage {
-    pname = "hydra-queue-runner";
-    inherit version src;
-    __structuredAttrs = true;
-    strictDeps = true;
-
-    inherit
-      cargoHash
-      nativeBuildInputs
-      buildInputs
-      ;
-
-    buildAndTestSubdir = "queue-runner";
-    buildFeatures = lib.optional withOtel "otel";
-    doCheck = false;
-
-    postInstall = ''
-      wrapProgram $out/bin/queue-runner \
-        --prefix PATH : ${lib.makeBinPath [ nixVersions.nix_2_32 ]} \
-        --set-default JEMALLOC_SYS_WITH_MALLOC_CONF "background_thread:true,narenas:1,tcache:false,dirty_decay_ms:0,muzzy_decay_ms:0,abort_conf:true"
-    '';
-
-    meta = meta // {
-      mainProgram = "queue-runner";
-    };
-  };
-
-  builder = rustPackages_1_91.rustPlatform.buildRustPackage {
-    pname = "hydra-queue-builder";
-    inherit src version;
-    __structuredAttrs = true;
-    strictDeps = true;
-
-    inherit
-      cargoHash
-      nativeBuildInputs
-      buildInputs
-      ;
-
-    buildAndTestSubdir = "builder";
-    buildFeatures = lib.optional withOtel "otel";
-    doCheck = false;
-
-    postInstall = ''
-      wrapProgram $out/bin/builder \
-        --prefix PATH : ${lib.makeBinPath [ nixVersions.nix_2_32 ]} \
-        --set-default JEMALLOC_SYS_WITH_MALLOC_CONF "background_thread:true,narenas:1,tcache:false,dirty_decay_ms:0,muzzy_decay_ms:0,abort_conf:true"
-    '';
-
-    meta = meta // {
-      mainProgram = "builder";
-    };
-  };
-}
diff --git a/ssh-keys.nix b/ssh-keys.nix
index c715ca27..6280f255 100644
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@@ -30,9 +30,25 @@ rec {
   infra = infra-core ++ [ jfly ];
 
   machines = {
+    # build/
     haumea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBamzRwZmoLjBFoNruGSVJEahk02Ku7NrBOmqcRWxcPm";
     pluto = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzc6B1S4mp3T3oWZnqQDkDVWFBIzLtkgkdgstfYZ5d/";
     mimas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICzfTNppOS5b5IvZl1wqjGTUZE0D/o/MY8d7uKPWDvIp";
     titan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDgz6s5Yho6/bjvrRDuJ2IewAZQaevAMOeMjVjMaw5e+";
+
+    # builders/
+    elated-minsky = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIvrJpd3aynfPVGGG/s7MtRFz/S6M4dtqvqKI3Da7O7+";
+    goofy-hopcroft = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICTJEi+nQNd7hzNYN3cLBK/0JCkmwmyC1I+b5nMI7+dd";
+    hopeful-rivest = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgjwpQaNAWdEdnk1YG7JWThM4xQdKNJ3h3arhF7+iFm";
+    sleepy-brown = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOh4/3m7o6H3J5QG711aJdlSUVvlC8yW6KoqAES3Fy6I";
+
+    # macs/
+    eager-heisenberg = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBp9NStfEPu7HdeK8f2KEnynyirjG9BUk+6w2SgJtQyS";
+    enormous-catfish = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlg7NXxeG5L3s0YqSQIsqVG0MTyvyWDHUyYEfFPazLe";
+    growing-jennet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQGthkSSOnhxrIUCMlRQz8FOo5Y5Nk9f9WnVLNeRJpm";
+    intense-heron = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeSgOe/cr1yVAJOl30t3AZOLtvzeQa5rnrHGceKeBue";
+    kind-lumiere = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFoqn1AAcOqtG65milpBtWVXP5VcBmTUSMGNfJzPwW8Q";
+    maximum-snail = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEs+fK4hH8UKo+Pa7u1VYltkMufBHHH5uC93RQ2S6Xy9";
+    sweeping-filly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6b/coXQEcFZW1eG4zFyCMCF0mZFahqmadz6Gk9DWMF";
   };
 }