diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..6ee53fd
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,34 @@
+name: "Nix: build and cache outputs"
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "**.nix"
+      - "**.lock"
+      - ".github/workflows/build.yml"
+
+jobs:
+  build-flake:
+    name: Build (x86_64-linux)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref_name }}
+          persist-credentials: false
+
+      - name: Install Lix
+        uses: ./.github/actions/install-lix
+
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0.3.2
+        with:
+          endpoint: https://cache.thevoid.cafe
+          cache: puzzlevision
+          token: ${{ secrets.ATTIC_TOKEN }}
+
+      - name: Build flake
+        run: nix build .#nixosConfigurations.puzzlevision.config.system.build.toplevel --accept-flake-config
diff --git a/.github/workflows/check-leaks.yml b/.github/workflows/check-leaks.yml
deleted file mode 100644
index 72bbc91..0000000
--- a/.github/workflows/check-leaks.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-name: "Trufflehog: check for exposed secrets"
-
-on:
-  pull_request:
-  push:
-    paths:
-      - "**.nix"
-      - ".github/workflows/check-leaks.yml"
-
-permissions:
-  contents: read
-  id-token: write
-  issues: write
-  pull-requests: write
-
-jobs:
-  deadnix:
-    name: Run trufflehog
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.ref_name }}
-          fetch-depth: 0
-
-      - id: trufflehog
-        name: TruffleHog scan
-        uses: trufflesecurity/trufflehog@main
-        continue-on-error: true
-        with:
-          path: ./
-          base: "${{ github.event.repository.default_branch }}"
-          extra_args: --debug --only-verified
-
-      - name: Scan Results Status
-        if: steps.trufflehog.outcome == 'failure'
-        run: exit 1
diff --git a/.github/workflows/deadnix.yml b/.github/workflows/deadnix.yml
index 23f0b46..d80f744 100644
--- a/.github/workflows/deadnix.yml
+++ b/.github/workflows/deadnix.yml
@@ -12,17 +12,9 @@ jobs:
     name: Run deadnix
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.ref_name }}
-          persist-credentials: false
-
-      - name: Install lix
-        uses: ./.github/actions/install-lix
-
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v25
       - uses: cachix/cachix-action@v14
         with:
           name: deadnix
-
       - uses: phucleeuwu/deadnix-action@v1
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 4f3e1b3..9fdb6e6 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -6,7 +6,7 @@ on:
     paths:
       - "**.nix"
       - "**.lock"
-      - ".github/workflows/validate.yml"
+      - ".github/workflows/**.yml"
 
 jobs:
   check-flake:
@@ -21,7 +21,10 @@ jobs:
           persist-credentials: false
 
       - name: Install Nix
-        uses: ./.github/actions/install-lix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            experimental-features = flakes nix-command recursive-nix pipe-operator
 
       - name: Validate Flake
         run: nix flake check