diff --git a/.gitignore b/.gitignore
index 844de83..58bf904 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 !hosts/
 
 !hosts/best/
+!hosts/best/nix-serve/
 
 !hosts/cube/
 !hosts/cube/matrix/
diff --git a/flake.nix b/flake.nix
index 52b7c2e..09050c6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,6 +5,7 @@
     extra-substituters = [
       "https://cache.garnix.io/"
       "https://cache.privatevoid.net"
+      "https://cache.rgbcu.be/"
       "https://hyprland.cachix.org/"
       "https://nix-community.cachix.org/"
     ];
@@ -12,6 +13,7 @@
     extra-trusted-public-keys = [
       "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
       "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg="
+      "cache.rgbcu.be:nBN/5Qg5E8GIYwaoslm9DYo2zeqlBiCVNCPf17djr+w="
       "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
     ];
diff --git a/hosts/best/nix-serve/default.nix b/hosts/best/nix-serve/default.nix
new file mode 100644
index 0000000..8288029
--- /dev/null
+++ b/hosts/best/nix-serve/default.nix
@@ -0,0 +1,27 @@
+{ self, config, lib, pkgs, ... }: let
+  inherit (config.networking) domain;
+  inherit (lib) enabled merge;
+
+  fqdn = "cache.${domain}";
+  port = 8003;
+in {
+  imports = [(self + /modules/nginx.nix)];
+
+  secrets.nixServeKey = {
+    file  = ./key.age;
+    owner = "nix-serve";
+  };
+
+  services.nix-serve = enabled {
+    package       = pkgs.nix-serve-ng;
+    secretKeyFile = config.secrets.nixServeKey.path;
+
+    # Not ::1 because nix-serve doesn't like that.
+    bindAddress = "127.0.0.1";
+    inherit port;
+  };
+
+  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+  };
+}
diff --git a/hosts/best/nix-serve/key.age b/hosts/best/nix-serve/key.age
new file mode 100644
index 0000000..478b5c6
--- /dev/null
+++ b/hosts/best/nix-serve/key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 8y3T6w +fPOWUbuD+JGfimuJnNa0wBpQyxC2nXGLGFdxAhfwns
+bonLQGaN8rp0KmZHW9efsPyCQ8eujuxEB9p7Ewdp4Bo
+-> ssh-ed25519 CzqbPQ 91liBCRmtq4YGG8Zz6+ObSEDlGVmA8Jn+NPQzTLQoGY
+Gurxg2Tp1sdpz7xESiZCVw5BAuMI5vYH/UtdrFH9vd0
+--- MJVivHhiqkVMke+mib2EZiFeZFX/BnFuEUctH+fdwd4
+8k
+Ôh}p©®lðz¾!I{­xÃz@SíZy/‘ôC3JÞQ:t¯ñ»NS&CXw·`%ÕûE	{£f'Oä<Äq‹ï\‚;yù‚Sï“¨—AöùÒ!‚Û_Ù<pñJ „@#‰Û·É(Õ63(«/G·ØgãIvÄ%ýºœ†
\ No newline at end of file
diff --git a/secrets.nix b/secrets.nix
index 28e78f5..491a228 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -2,26 +2,30 @@ let
   inherit (import ./keys.nix) best cube disk nine admins all;
 in {
   # best
-  "hosts/best/id.age".publicKeys           = [ best ] ++ admins;
-  "hosts/best/password.the.age".publicKeys = [ best ] ++ admins;
+  "hosts/best/id.age".publicKeys            = [ best ] ++ admins;
+  "hosts/best/password.the.age".publicKeys  = [ best ] ++ admins;
+
+  "hosts/best/nix-serve/key.age".publicKeys = [ best ] ++ admins;
 
   # cube
+  "hosts/cube/id.age".publicKeys                      = [ cube ] ++ admins;
+  "hosts/cube/password.rgb.age".publicKeys            = [ cube ] ++ admins;
+
   "hosts/cube/forgejo/password.runner.age".publicKeys = [ cube ] ++ admins;
   "hosts/cube/grafana/password.age".publicKeys        = [ cube ] ++ admins;
-  "hosts/cube/id.age".publicKeys                      = [ cube ] ++ admins;
   "hosts/cube/matrix/password.secret.age".publicKeys  = [ cube ] ++ admins;
   "hosts/cube/nextcloud/password.age".publicKeys      = [ cube ] ++ admins;
-  "hosts/cube/password.rgb.age".publicKeys            = [ cube ] ++ admins;
 
   # disk
   "hosts/disk/id.age".publicKeys              = [ disk ] ++ admins;
   "hosts/disk/password.floppy.age".publicKeys = [ disk ] ++ admins;
 
   # nine
-  "hosts/nine/github2forgejo/environment.age".publicKeys = [ nine ] ++ admins;
   "hosts/nine/id.age".publicKeys                         = [ nine ] ++ admins;
   "hosts/nine/password.seven.age".publicKeys             = [ nine ] ++ admins;
 
+  "hosts/nine/github2forgejo/environment.age".publicKeys = [ nine ] ++ admins;
+
   # shared
   "modules/common/ssh/config.age".publicKeys     = all;
   "modules/linux/restic/password.age".publicKeys = all;