diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 7073126..b57c7bc 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -16,6 +16,8 @@ jobs:
           extra_nix_config: |
             extra-trusted-public-keys = localhost:TiRpr2LzamX/MCKBUmFlZ8inWz94QWGL88fMEHg9Kgc=
             extra-substituters = http://localhost:5000
+            secret-key-files = /var/secrets/cache_privkey
+            post-build-hook = /etc/nix/upload-to-cache.sh
       - uses: actions/checkout@v4
       - name: Install SSH key
         uses: shimataro/ssh-key-action@v2
@@ -25,4 +27,8 @@ jobs:
       - uses: http://github.com/cachix/cachix-action@v16
         with:
           name: colmena
+      - run: mkdir -p /var/secrets/
+      - run: echo ${{ secrets.CACHE_PRIVKEY }} > /var/secrets/cache_privkey
+      - run: cp ./scripts/upload-to-cache.sh /etc/nix/
+      - run: chmod +x /etc/nix/upload-to-cache.sh
       - run: nix run .#colmena apply
diff --git a/scripts/upload-to-cache.sh b/scripts/upload-to-cache.sh
new file mode 100644
index 0000000..390ffd1
--- /dev/null
+++ b/scripts/upload-to-cache.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+set -eu
+set -f
+
+export IFS=' '
+echo "Uploading paths" $OUT_PATHS
+exec nix copy --to "ssh://localhost:5000" $OUT_PATHS