diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index c0891a5..6d5814f 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -18,3 +18,50 @@ jobs:
         run: nix flake check
         env:
           NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+  build-and-cache:
+    runs-on: ubuntu-latest
+    needs: check
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    strategy:
+      fail-fast: false
+      matrix:
+        machine:
+          - nix-book
+          - boxy
+          - zix790prors
+          - nix-deck
+          - john-endesktop
+          - live-usb
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: https://git.johnogle.info/johno/gitea-actions/nix-setup@v1
+
+      - name: Build ${{ matrix.machine }}
+        id: build
+        run: |
+          OUT_PATH=$(nix build .#nixosConfigurations.${{ matrix.machine }}.config.system.build.toplevel --no-link --print-out-paths)
+          echo "out_path=$OUT_PATH" >> "$GITHUB_OUTPUT"
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+      - name: Sign and push to cache
+        run: |
+          # Write signing key
+          echo "${{ secrets.NIX_SIGNING_KEY }}" > /tmp/signing-key
+          chmod 600 /tmp/signing-key
+
+          # Sign the closure
+          nix store sign --key-file /tmp/signing-key -r "${{ steps.build.outputs.out_path }}"
+
+          # Setup SSH key for cache push
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CACHE_SSH_KEY }}" > ~/.ssh/cache_key
+          chmod 600 ~/.ssh/cache_key
+          ssh-keyscan -H ${{ secrets.CACHE_HOST }} >> ~/.ssh/known_hosts 2>/dev/null || true
+
+          # Push to cache
+          nix copy --to "ssh-ng://${{ secrets.CACHE_USER }}@${{ secrets.CACHE_HOST }}?ssh-key=$HOME/.ssh/cache_key" "${{ steps.build.outputs.out_path }}"
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"