diff --git a/hosts/by-name/servo/default.nix b/hosts/by-name/servo/default.nix
index d075e50b..f6f00113 100644
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@@ -22,6 +22,8 @@
   sane.services.wg-home.enable = true;
   sane.services.wg-home.enableWan = true;
   sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
+  sane.services.nixcache.substituters.servo.enable = false;
+  sane.services.nixcache.substituters.desko.enable = false;
   # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
 
   # automatically log in at the virtual consoles.
diff --git a/hosts/modules/nixcache.nix b/hosts/modules/nixcache.nix
index 3080728d..5de8076b 100644
--- a/hosts/modules/nixcache.nix
+++ b/hosts/modules/nixcache.nix
@@ -25,16 +25,16 @@ in
       default = config.sane.nixcache.enable;
       type = types.bool;
     };
-    sane.nixcache.substituters = mkOption {
-      type = types.listOf types.str;
-      default =
-        # TODO: make these blacklisted entries injectable
-        (lib.optional (hostName != "servo") "https://nixcache.uninsane.org")
-        ++ (lib.optional (hostName != "servo" && hostName != "desko") "http://desko:5000")
-        ++ [
-          "https://nix-community.cachix.org"
-          "https://cache.nixos.org/"
-        ];
+    sane.nixcache.substituters = let
+      subOpt = mkOption {
+        default = true;
+        type = types.bool;
+      };
+    in {
+      servo = subOpt;
+      desko = subOpt;
+      nixos = subOpt;
+      cachix = subOpt;
     };
   };
 
@@ -43,7 +43,12 @@ in
     # to explicitly build from a specific cache (in case others are down):
     # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
     # - `nix build ... --substituters http://desko:5000`
-    nix.settings.substituters = mkIf cfg.enable cfg.substituters;
+    nix.settings.substituters = mkIf cfg.enable (lib.flatten [
+      (lib.optional cfg.substituters.servo  "https://nixcache.uninsane.org")
+      (lib.optional cfg.substituters.desko  "http://desko:5000")
+      (lib.optional cfg.substituters.nixos  "https://cache.nixos.org/")
+      (lib.optional cfg.substituters.cachix "https://nix-community.cachix.org")
+    ]);
     # always trust our keys (so one can explicitly use a substituter even if it's not the default
     nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
       "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="