modules/nixos/nix/default.nix

@@ -25,6 +25,13 @@ in
     enable = mkBoolOpt false "Whether or not to manage nix configuration.";
     package = mkOpt package pkgs.nix "Which nix package to use.";
 
+    default-substituter = {
+      url = mkOpt str "https://cache.nixos.org" "The url for the substituter.";
+      key =
+        mkOpt str "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+          "The trusted public key for the substituter.";
+    };
+
     extra-substituters = mkOpt (attrsOf substituters-submodule) { } "Extra substituters to configure.";
   };
 
@@ -51,6 +58,7 @@ in
     nix =
       let
         users = [
+          "root"
           config.metacfg.user.name
         ]
         ++ optional config.services.hydra.enable "hydra";
@@ -67,11 +75,19 @@ in
           sandbox = true;
           auto-optimise-store = true;
           trusted-users = users;
-          allowed-users = [ "@users" ];
+          allowed-users = [
+            "@users"
+            "root"
+          ];
 
-          # NixOS already adds cache.nixos.org by default, only add extra substituters
-          substituters = mapAttrsToList (name: _: name) extra-substituters;
-          trusted-public-keys = mapAttrsToList (_: value: value.key) extra-substituters;
+          substituters = [
+            cfg.default-substituter.url
+          ]
+          ++ (mapAttrsToList (name: value: name) extra-substituters);
+          trusted-public-keys = [
+            cfg.default-substituter.key
+          ]
+          ++ (mapAttrsToList (name: value: value.key) extra-substituters);
 
         }
         // (lib.optionalAttrs config.metacfg.tools.direnv.enable {

systems/x86_64-linux/amd/default.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   lib,
+  config,
   ...
 }:
 with lib;
@@ -18,6 +19,9 @@ with lib.metacfg;
     22000
   ];
 
+  programs.ccache.enable = true;
+  nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
+
   services.tailscale.enable = true;
 
   services.cratedocs-mcp.enable = true;