diff --git a/.gitignore b/.gitignore
index 2a03358..55d9b90 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,8 +7,8 @@
 !hosts/
 
 !hosts/best/
+!hosts/best/cache/
 !hosts/best/garage/
-!hosts/best/nix-serve/
 !hosts/best/hercules/
 
 !hosts/cube/
diff --git a/hosts/best/cache.nix b/hosts/best/cache.nix
deleted file mode 100644
index c35b74a..0000000
--- a/hosts/best/cache.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ self, config, lib, ... }: let
-  inherit (config.networking) domain;
-  inherit (lib) merge;
-
-  fqdn = "cache.${domain}";
-in {
-  imports = [(self + /modules/nginx.nix)];
-
-  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
-    locations."/" = {
-      extraConfig = /* nginx */ ''
-        proxy_set_header Host "hercules.${config.services.garage.settings.s3_web.root_domain}";
-      '';
-
-      proxyPass = "http://${config.services.garage.settings.s3_web.bind_addr}";
-    };
-  };
-}
diff --git a/hosts/best/cache/default.nix b/hosts/best/cache/default.nix
new file mode 100644
index 0000000..54ba52b
--- /dev/null
+++ b/hosts/best/cache/default.nix
@@ -0,0 +1,43 @@
+{ self, config, lib, pkgs, ... }: let
+  inherit (config.networking) domain;
+  inherit (lib) enabled merge;
+
+  fqdn = "cache.${domain}";
+
+  portNixServe = 8006;
+in {
+  imports = [(self + /modules/nginx.nix)];
+
+  secrets.nixServeKey = {
+    file  = ./key.age;
+    owner = "nix-serve";
+  };
+
+  services.nix-serve = enabled {
+    package       = pkgs.nix-serve-ng;
+    secretKeyFile = config.secrets.nixServeKey.path;
+
+    # Not ::1 because nix-serve doesn't like that.
+    bindAddress = "127.0.0.1";
+    port        = portNixServe;
+  };
+
+  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    extraConfig = /* nginx */ ''
+      proxy_intercept_errors on;
+      error_page 404 = @fallback;
+    '';
+
+    locations."= /".return = "301 https://${domain}/404";
+
+    locations."/".proxyPass = "http://127.0.0.1:${toString portNixServe}";
+
+    locations."@fallback" = {
+      extraConfig = /* nginx */ ''
+        proxy_set_header Host "hercules.${config.services.garage.settings.s3_web.root_domain}";
+      '';
+
+      proxyPass = "http://${config.services.garage.settings.s3_web.bind_addr}";
+    };
+  };
+}
diff --git a/hosts/best/cache/key.age b/hosts/best/cache/key.age
new file mode 100644
index 0000000..b05a78e
Binary files /dev/null and b/hosts/best/cache/key.age differ
diff --git a/rebuild.nu b/rebuild.nu
index 7038a49..93e6d01 100755
--- a/rebuild.nu
+++ b/rebuild.nu
@@ -22,6 +22,10 @@ def main --wrapped [
   }
 
   if $host != (hostname) {
+    ssh -q -tt $host $"
+      rm -rf ncc
+    "
+
     git ls-files
     | sync --files-from - ./ ($host + ":ncc")
 
diff --git a/secrets.nix b/secrets.nix
index b57a206..63550be 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -5,6 +5,8 @@ in {
   "hosts/best/id.age".publicKeys            = [ best ] ++ admins;
   "hosts/best/password.the.age".publicKeys  = [ best ] ++ admins;
 
+  "hosts/best/cache/key.age".publicKeys = [ best ] ++ admins;
+
   "hosts/best/garage/environment.age".publicKeys = [ best ] ++ admins;
 
   "hosts/best/hercules/caches.age".publicKeys       = [ best ] ++ admins;