diff --git a/helpers/universal/nix-cache.nix b/helpers/universal/nix-cache.nix
new file mode 100644
index 00000000..95c7a128
--- /dev/null
+++ b/helpers/universal/nix-cache.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  # use our own binary cache
+  nix.settings = {
+    substituters = [
+      "https://nixcache.uninsane.org"
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+}
diff --git a/machines/uninsane/default.nix b/machines/uninsane/default.nix
index cd582037..7158c823 100644
--- a/machines/uninsane/default.nix
+++ b/machines/uninsane/default.nix
@@ -14,6 +14,7 @@
     ./services/jellyfin.nix
     ./services/matrix.nix
     ./services/nginx.nix
+    ./services/nix-serve.nix
     ./services/pleroma.nix
     ./services/postfix.nix
     ./services/postgres.nix
diff --git a/machines/uninsane/services/nginx.nix b/machines/uninsane/services/nginx.nix
index a939c016..cc2b8a19 100644
--- a/machines/uninsane/services/nginx.nix
+++ b/machines/uninsane/services/nginx.nix
@@ -1,5 +1,5 @@
 # docs: https://nixos.wiki/wiki/Nginx
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 
 {
   services.nginx.enable = true;
@@ -220,6 +220,17 @@
     forceSSL = true;
     enableACME = true;
   };
+  services.nginx.virtualHosts."nixcache.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    # serverAliases = [ "nixcache" ];
+    locations."/".extraConfig = ''
+      proxy_pass http://localhost:${toString config.services.nix-serve.port};
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    '';
+  };
 
   security.acme.acceptTerms = true;
   security.acme.email = "acme@uninsane.org";
diff --git a/machines/uninsane/services/nix-serve.nix b/machines/uninsane/services/nix-serve.nix
new file mode 100644
index 00000000..49ee6e35
--- /dev/null
+++ b/machines/uninsane/services/nix-serve.nix
@@ -0,0 +1,12 @@
+# docs: https://nixos.wiki/wiki/Binary_Cache
+# to copy something to this machine's nix cache, do:
+#   nix copy --to ssh://nixcache.uninsane.org PACKAGE
+{ secrets, ... }:
+
+{
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = builtins.toFile "nix-serve-priv-key.pem" secrets.nix-serve.cache-priv-key;
+    #  "/var/cache-priv-key.pem";
+  };
+}
diff --git a/secrets/default.nix b/secrets/default.nix
index 6fe18f81..273a82a7 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -29,4 +29,7 @@
   # use nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "my passwd" to generate the password
   dovecot.hashedPasswd.colin = "<REPLACEME>";
   dovecot.hashedPasswd.matrix-synapse = "<REPLACEME>";
+
+  # generate with nix-store --generate-binary-cache-key nixcache.uninsane.org cache-priv-key.pem cache-pub-key.pem
+  nix-serve.cache-priv-key = "<REPLACEME>";
 } // import ./local.nix