diff --git a/features/harmonia/cache-builder.sh b/features/harmonia/cache-builder.sh
new file mode 100644
index 0000000..fd86c00
--- /dev/null
+++ b/features/harmonia/cache-builder.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -uo pipefail
+
+build() {
+	local name="$1" ref="$2" link="$3"
+	echo "building $name..." >&2
+	if nix build "$ref" --out-link "$link"; then
+		return 0
+	else
+		echo "FAILED: $name" >&2
+		return 1
+	fi
+}
+
+main() {
+	mkdir -p "$GC_ROOT_DIR"
+	local failed=0
+
+	for host in $HOSTS; do
+		build "$host" \
+			"$FLAKE_REF#nixosConfigurations.$host.config.system.build.toplevel" \
+			"$GC_ROOT_DIR/$host" || failed=1
+	done
+
+	build "ephvm-image" \
+		"$FLAKE_REF#nixosConfigurations.ephvm.config.system.build.images.qemu" \
+		"$GC_ROOT_DIR/ephvm-image" || failed=1
+
+	return $failed
+}
+
+main "$@"
diff --git a/features/harmonia/default.nix b/features/harmonia/default.nix
new file mode 100644
index 0000000..1bd571f
--- /dev/null
+++ b/features/harmonia/default.nix
@@ -0,0 +1,51 @@
+{
+  nixos =
+    {
+      pkgs,
+      config,
+      inputs,
+      ...
+    }:
+    let
+      hosts = [
+        "fw16"
+        "tower"
+        "cube"
+        "floo"
+        "ephvm"
+      ];
+      flakeRef = inputs.self.outPath;
+    in
+    {
+      services.harmonia = {
+        enable = true;
+        signKeyPaths = [ config.sops.secrets.nix-signing-key.path ];
+      };
+
+      networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 5000 ];
+
+      systemd.services.cache-builder = {
+        description = "Build all host closures for binary cache";
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${pkgs.bash}/bin/bash ${./cache-builder.sh}";
+        };
+        environment = {
+          FLAKE_REF = flakeRef;
+          HOSTS = builtins.concatStringsSep " " hosts;
+          GC_ROOT_DIR = "/nix/var/nix/gcroots/cache-builder";
+        };
+        path = [ config.nix.package ];
+      };
+
+      systemd.timers.cache-builder = {
+        description = "Periodically build all host closures";
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnUnitActiveSec = "15min";
+          OnBootSec = "5min";
+          Persistent = true;
+        };
+      };
+    };
+}
diff --git a/flake/hosts.nix b/flake/hosts.nix
index c811d34..9be5703 100644
--- a/flake/hosts.nix
+++ b/flake/hosts.nix
@@ -61,6 +61,7 @@ in
         "neovim"
         "dev"
         "claude"
+        "harmonia"
       ];
     };
 
diff --git a/nix.nix b/nix.nix
index 148835b..c2dff0d 100644
--- a/nix.nix
+++ b/nix.nix
@@ -7,8 +7,14 @@
       ];
       download-buffer-size = 2 * 1024 * 1024 * 1024;
       warn-dirty = false;
+      substituters = [
+        "https://cache.nixos.org"
+        "https://nix-community.cachix.org?priority=45"
+        "http://tower:5000?priority=50"
+      ];
       trusted-public-keys = [
         "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
         "matej.nix-1:TdbemLVYblvAxqJcwb3mVKmmr3cfzXbMcZHE5ILnZDE="
       ];
     };