diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 8a735b120f6a89bcdbd2f7916cb42fdc052fbbf1..00e0d395369ccde37c7c67eecf205879d3950d4f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,15 +1,50 @@
 stages:
+  - prep
   - check
   - build
   - deploy
 
 variables:
   GIT_SUBMODULE_STRATEGY: recursive
+  CACHIX_CACHE_NAME: flow3r
+  BUILD_IMAGE_NAME: ${CI_REGISTRY_IMAGE}/flow3r-build:${CI_COMMIT_SHA}
 
 default:
-  # built via:
-  #     docker load < $(nix-build nix/docker-image.nix)
-  image: registry.k0.hswaw.net/q3k/flow3r-build:ymrsh8w1z9l89qvvksw52k7sl54lx73q
+  image: $BUILD_IMAGE_NAME
+
+.nix-build:
+  image: docker.nix-community.org/nixpkgs/nix-flakes
+  before_script:
+    - nix profile install .#cachix
+
+cache-devenv:
+  extends: .nix-build
+  stage: prep
+  script:
+    - set +e +o pipefail
+    - nix profile install .#jq
+    - |
+      nix flake archive --json \
+        | jq -r '.path,(.inputs|to_entries[].value.path)' \
+        | cachix push "$CACHIX_CACHE_NAME"
+    - nix develop -L --profile dev-profile -c true
+    - cachix push "$CACHIX_CACHE_NAME" dev-profile
+
+docker-image:
+  extends: .nix-build
+  stage: prep
+  needs: ["cache-devenv"]
+  script:
+    - set +e +o pipefail
+    - nix profile install .#skopeo .#jq
+    - |
+      nix build -L --json .#dockerImage \
+        | jq -r '.[].outputs | to_entries[].value' \
+        | cachix push "$CACHIX_CACHE_NAME"
+    - |
+      echo "${CI_REGISTRY_PASSWORD}" \
+        | skopeo login --username="${CI_REGISTRY_USER}" --password-stdin "${CI_REGISTRY}"
+    - skopeo copy --tmpdir /tmp --insecure-policy "docker-archive://${PWD}/result" "docker://${BUILD_IMAGE_NAME}"
 
 clang-tidy:
   stage: check
@@ -57,7 +92,7 @@ simulate:
   script:
     - python3 sim/run.py screenshot
   artifacts:
-    expose_as: 'Smulator Screenshot'
+    expose_as: 'Simulator Screenshot'
     paths: ['flow3r.png']
     expire_in: 5 hours
 
diff --git a/flake.nix b/flake.nix
index e206d713920bcf261445393bc6d02f2382e9e1fb..53a1e7102d050c4fb31b080562ae812ce9cf70b1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,17 @@
 {
   description = "flow3r badge flake";
 
+  nixConfig = {
+    substituters = [
+      "https://cache.nixos.org"
+      "https://flow3r.cachix.org"
+    ];
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "flow3r.cachix.org-1:/v8059Hm6UdEVNKE15uxltpYM0z+pulaTpobjIvFM5A="
+    ];
+  };
+
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     flake-compat = {
@@ -66,6 +77,8 @@
     {
       overlays.default = import ./nix/overlay;
 
+      legacyPackages = forAllPkgs (pkgs: pkgs);
+
       packages = forAllPkgs (pkgs:
         {
           dockerImage = pkgs.dockerTools.buildImage {
@@ -81,9 +94,8 @@
               pathsToLink = [ "/bin" ];
             };
 
-            runAsRoot = ''
-              #!${pkgs.runtimeShell}
-              mkdir -p /tmp
+            extraCommands = ''
+              mkdir -m 1777 tmp
             '';
 
             config = {