diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
new file mode 100644
index 0000000..5f88345
--- /dev/null
+++ b/.github/workflows/nix.yml
@@ -0,0 +1,15 @@
+name: "Nix"
+on:
+  push:
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: cachix/install-nix-action@v8
+    - uses: cachix/cachix-action@v5
+      with:
+        name: nix-community
+        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+        # Only needed for private caches
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
diff --git a/default.nix b/default.nix
new file mode 100644
index 0000000..e45e82f
--- /dev/null
+++ b/default.nix
@@ -0,0 +1,14 @@
+# Add derivations to be built from the cache to this file
+{ system ? builtins.currentSystem }:
+let
+  pkgs = import ./nix { inherit system; };
+
+  importNixOS = configuration: system:
+    (import "${toString pkgs.path}/nixos") {
+      inherit configuration system;
+    };
+in
+  pkgs.nix-community-infra // rec {
+    build01 = importNixOS ./build01/configuration.nix "x86_64-linux";
+    build01-system = build01.system;
+  }
diff --git a/deploy b/deploy
index 166c41a..1dc047a 100755
--- a/deploy
+++ b/deploy
@@ -2,10 +2,17 @@
 #! nix-shell ./shell.nix -i bash
 set -euo pipefail
 
+options=(
+  --option extra-substituters "https://nix-community.cachix.org"
+  --option binary-cache-public-keys "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+)
+
 mkdir -p state
 
 if [ $(nixops list --state "$NIXOPS_STATE" | grep -c "$NIXOPS_DEPLOYMENT") -eq 0 ]; then
-  nixops create ./deployment.nix --deployment "$NIXOPS_DEPLOYMENT" --state "$NIXOPS_STATE"
+  nixops create ./deployment.nix \
+    "${options[@]}" \
+    --deployment "$NIXOPS_DEPLOYMENT" --state "$NIXOPS_STATE"
 fi
 
-nixops deploy "$@"
+nixops deploy "${options[@]}" "$@"
diff --git a/nix/default.nix b/nix/default.nix
new file mode 100644
index 0000000..27f9eeb
--- /dev/null
+++ b/nix/default.nix
@@ -0,0 +1,11 @@
+{ system ? builtins.currentSystem }:
+let
+  sources = import ./sources.nix;
+
+  pkgs = import sources.nixpkgs {
+    inherit system;
+    config = {};
+    overlays = [ (import ./overlay.nix) ];
+  };
+in
+  pkgs
diff --git a/nix/overlay.nix b/nix/overlay.nix
new file mode 100644
index 0000000..3502192
--- /dev/null
+++ b/nix/overlay.nix
@@ -0,0 +1,21 @@
+let
+  nix-community-infra = pkgs: {
+    inherit (pkgs)
+      git-crypt
+      niv
+      nixops
+      ;
+
+    terraform = pkgs.terraform.withPlugins (
+      p: [
+        p.cloudflare
+      ]
+    );
+  };
+
+  overlay = self: super: {
+    sources = import ./sources.nix;
+    nix-community-infra = nix-community-infra super;
+  };
+in
+  overlay
diff --git a/profiles/common.nix b/profiles/common.nix
index e34990c..81c2480 100644
--- a/profiles/common.nix
+++ b/profiles/common.nix
@@ -19,10 +19,16 @@
   # Entropy gathering daemon
   services.haveged.enable = true;
 
-  nix = let
-    asGB = size: toString (size * 1024 * 1024);
-  in
+  nix =
+    let asGB = size: toString (size * 1024 * 1024); in
     {
+      binaryCachePublicKeys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      binaryCaches = [
+        "https://nix-community.cachix.org"
+      ];
+
       extraOptions = ''
         # auto-free the /nix/store
         min-free = ${asGB 10}
diff --git a/shell.nix b/shell.nix
index 5caa1f2..e13b453 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,11 +1,6 @@
+{ system ? builtins.currentSystem }:
 let
-  sources = import ./nix/sources.nix;
-
-  pkgs = import sources.nixpkgs {
-    config = {};
-    overlays = [];
-  };
-
+  pkgs = import ./nix { inherit system; };
 in
 pkgs.mkShell {
 
@@ -14,17 +9,11 @@ pkgs.mkShell {
   NIXOPS_DEPLOYMENT = "nix-community-infra";
   NIXOPS_STATE = toString ./state/deployment-state.nixops;
 
-  buildInputs = [
-    pkgs.git-crypt
-    pkgs.niv
-    pkgs.nixops
-    (
-      pkgs.terraform.withPlugins (
-        p: [
-          p.cloudflare
-        ]
-      )
-    )
+  buildInputs = with pkgs.nix-community-infra; [
+    git-crypt
+    niv
+    nixops
+    terraform
   ];
 
   # terraform cloud without the remote execution part