diff --git a/flake.nix b/flake.nix
index c235b69..65c381d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -150,6 +150,7 @@
flake.nixosModules = {
common = ./modules/nixos/common;
+ cachix-deploy = ./modules/nixos/cachix-deploy;
community-builder = ./modules/nixos/community-builder;
hercules-ci = ./modules/nixos/hercules-ci;
hydra = ./modules/nixos/hydra.nix;
diff --git a/modules/nixos/cachix-deploy/default.nix b/modules/nixos/cachix-deploy/default.nix
new file mode 100644
index 0000000..20a481c
--- /dev/null
+++ b/modules/nixos/cachix-deploy/default.nix
@@ -0,0 +1,11 @@
+{ config, lib, ... }:
+{
+ sops.secrets.cachix-agent-token.sopsFile = ./secrets.yaml;
+
+ services.cachix-agent = {
+ enable = true;
+ credentialsFile = config.sops.secrets.cachix-agent-token.path;
+ };
+
+ system.autoUpgrade.enable = lib.mkForce false;
+}
diff --git a/modules/nixos/cachix-deploy/secrets.yaml b/modules/nixos/cachix-deploy/secrets.yaml
new file mode 100644
index 0000000..03cba83
--- /dev/null
+++ b/modules/nixos/cachix-deploy/secrets.yaml
@@ -0,0 +1,93 @@
+cachix-agent-token: ENC[AES256_GCM,data:jqX0aET3/BpGiogJ8kmJ4fXhocdPIrZOFpzjf1ewAy23CR0xwPA12dIIKaRu90418qPRW5M8Cq/xzaSpkh3NThOlvT4RTQtP5UgCQt/rzvfzhMorq338fzv/cx+xSw/um0z0r5MqaLqGtOLbXeKDQvccXtJZuyyol1coBSwCfo0uBNLBiQzHshrLHxkjMLP4N488Hu7oVuCwp9ux6JISpj4tepccWehjgUoa,iv:omqsgGKITrAA6Y6wH1gEGM2bkWq40vhzzy1phE2ijkk=,tag:O6ip4qSmhBHPdzT7nHMU6A==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age17jtyn2y4fpey6q7ers9gtnh4580xj89zdjuew9nqhxywmsaw94fs5udupc
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBab2Zzb2dmeFBvdi81VTg2
+ NHlBQVlkYkZFTVVhQks5YnhFTXJFMjk0c21zCjlvOVVFRTZKQzBvc3dTL2JOQ2JJ
+ aTlrTVkwNnRSMWtmcEk3T2c2RndNU1UKLS0tIFBIWUhwK1E5WGUybXgzWWZwWmZD
+ NldGaUc1WCtFa3FxMlVFckRmNDZHTzQKNvUdXqY3cRmAZlW9AjjgiouRccFp42yx
+ nm//1njoCvdPAkw5LbINOetoisK3qNe2QcTYEu7pdyhsbRn188f0CA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1kh6yvgxz9ys74as7aufdy8je7gmqjtguhnjuxvj79qdjswk2r3xqxf2n6d
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSjU3SHhHalk2ZVE1TkZD
+ RmRVUGdyb1h2VlIwQi9XVkYvTVRVZWFZUng0CloyZW1VTFZRTkFpYjlTSFFSVFhl
+ K0p3Vzh0T2N0TUhCQy9IVzZiUXNWUmMKLS0tIEs5TTg2YUN4SndzRy8yM21JMU55
+ dytuV0xZRUUvaGR5YWdza3lRM1JSbEkKoMwb32NvO7hYSctoliXX/WOYHauiVb+w
+ U3XOu17kd6A4cCJfKTMBTPr/v81lcUvbtfHwrXsXYy6ImD3CZlC65g==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWDgxTk9VTGhmckxZeWNP
+ K20zd3hDa3dwT0JOTnZDaHQzUkNBeFZ1VGtNCmxyaTArNzN1UzhjdUZCSnozSnVj
+ RXBDUzlFTmdvWUMrOHprNEtFSkltMHcKLS0tIGdUclROcE9wYlJrYVRCVlZlZGNk
+ T0VPcmRKKzhrYjdTTW9vU3AzMnkwc1kKsXjBdQToTIvt/0pCTNz+K2HdO/jZJhcB
+ aM7PnKW+3Ko5zjAhTyI53/80Zkfh/4v3lIh83vGmpZtkRk9WKyLb9A==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZm5KQy9YRXhycnM2Rzhz
+ UDBvTDRYVGdCRXAxQXZZWnJBZ29Da3Nvc1YwCjQ5bHdrdUZDajNhaTE4K0FiTFBj
+ WnptTXBWc1lacEpldElQRmYwUkdSQUkKLS0tIFBtejgyUGN6bzlLQ09QbHN4Tyt3
+ MzUxcytmY1JoaGxGS1ZTdjNjaXZxTEkK5TCBWPmLtxDKsBSOr2c92O4KnKZsXB3u
+ m+cBKctT8ZVr25dJ/TJNnesG2EXtkNHVCl/szVBYLRHBPpJ2RIJ7Yw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNXFHeEh5WEd4M3dSMWRn
+ aUNNL0J1cFYwZWt6OHVmTmlFNlVJNzJoL1ZBCkpsdHVnQlJTa0N2enpibWpKcUV4
+ SENHUnMwUEdxZzd1WWU3UDZCSUorclkKLS0tIGRyTGEvNEcwTkJHYU5vMTFBeGs0
+ ald4UFd0NXlDWXdRZnQyZjhyNjU2a1kKKUHRBKDA5HiqI0Rr1/MIPLZIDUJMyQG0
+ bCNSg7QuFssNaIBfpxO5CEbrWvqL6W00jQi2uZQqlb+vRm4jJzAqLw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Qmh2Y3BMNndVWFd0cjFM
+ bjN1UXE3N3V4Qi8rMGRDMm9RNmdZQU15SGg4CnM2T1hWcVVEeFJ3aDUyYjBZYXZj
+ bkV6Rjc3Y1BleVdncXhqNjF1dTZkYnMKLS0tIDF5V0k0TU1GZ1JUeUdEVWxWbElU
+ VWVlV1k4SnpMU25DN01MNFpRdW1BQ1EKbnW8O2e0b+DA26QhiezmNf/Ut4x/CeGl
+ 42aaJfwC8dRJGM+GSy5ROWMdO1tPXFz9TT1Kd2gDNMvQLspAbE7Tow==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMVdXWitXdUdvelVFQzc5
+ cjJBMm8zNTRCTzRjNUlIK2dVYllxN0FBbkRZCjNOeTg2Mm8rVnU5ampNYjh2TTQ5
+ NWhVUDRjWVhuL0VlWE1iaGpoVFNTOU0KLS0tIGI4QXgzQ1UxRmNpR2RDaGNSWFBK
+ b0hLT0pNNXVNemhRMlVTTGQxVDFlRG8KsPKQlOUZiJTHZxXcOHynjAeriqWg44Of
+ ALwKuh4wEnnsiuGrBYIQMMNyXHkUpF2puwEAGbi7DwyVjw60grd5NA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkd0kxMDRwbEwzYUlXRjV2
+ d2l1T3EwS2F5T0V6R0lhS0M5OG5wY2J5Z0M4CmhSMzhaTTlNc1lJeEpnM3V1OUpk
+ MWU0cnUrR01wUS8zVG51QTI1ekg5MDAKLS0tIDkrVnBnSWViL0VNN2pBcTZ3blVI
+ RlNlcVBSZ2VsWnVRWW1DekQvZmVWY0kKJGw93A6HpFPqhpe6jwYJE+Cgxr7/KAdy
+ 9uE3iWCIzKc37ggSJ6w4Ei6GWjiFRsSkqW+CvtrQ2lPp6fGpKjM9gg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaVgxR0ZHSGp2RVh0dTZ3
+ RUNJV0NiZ2RCbjkydlRJU0tUdHVkVkxPSEhFClhUczVPcmx5NnlIY25tT0YwaFhW
+ YUZNUUdWRFJ5Z0diVUJsSmxoTjU2S1kKLS0tIGZZNGZyYy9LcXZFci9PazdWUlFn
+ MXVibEJhUmpYajJ6V0xyd2YxWXpFQmMK3pAgww2itIm3/xnoiO2zMmaUcfc2083Y
+ xuprImh/pfGOzNpR20wczrjuiPRVXvc83TR1SawWXsLgVwgF3k/VMg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2023-07-21T06:15:03Z"
+ mac: ENC[AES256_GCM,data:fL+CskuON7oZmfj+yWztmTt6bJVyGQDiDRgzKMotycvSQuY3WFiwwHBg1CXwykXyjjlvoX9vL2DJhBxL/+fc/GDcC+gDd1QtZqCJbppC2bk6OLYx8a2gCtd/ql+Ma6GY+JkcDApi8R2nr2+QK3jrOo1xXK18Mht6RdIjdPvOdP0=,iv:jD/4Jy4SVrFXENc+Zr7woPoW14Eij0ZEkSRRHVNt6vk=,tag:J3FSNztymCnGfb/aLYTsEA==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3