diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
new file mode 100644
index 000000000..27b19df56
--- /dev/null
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,15 @@
+name: Build
+
+on:
+  workflow_dispatch: # allows manual triggering
+  push:
+  # schedule:
+  # - cron: "0 0 * * 0" # runs weekly on Sunday at 00:00
+
+jobs:
+  check:
+    runs-on: [self-hosted]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run `nix flake check`
+        run: nix flake check
diff --git a/machines/iapetus/configuration.nix b/machines/iapetus/configuration.nix
index afa870a73..67be95d9b 100644
--- a/machines/iapetus/configuration.nix
+++ b/machines/iapetus/configuration.nix
@@ -63,7 +63,9 @@
   programs.ccache.enable = true;
   nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
   systemd.tmpfiles.rules =
-    [ "d ${config.programs.ccache.cacheDir} 0770 root nixbld" ];
+    [ "d ${config.programs.ccache.cacheDir} 0770 root nixbld" ]
+    ++ (let cfg = config.services.github-runners.nix-config;
+    in [ "d '${cfg.workDir}' 0777 - - - -" ]);
 
   environment.systemPackages = [
     config.boot.kernelPackages.perf
@@ -112,6 +114,7 @@
       true; # Open ports in the firewall for Source Dedicated Server
   };
 
+  # https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-a-repository
   sops.secrets.github-runner-token = {
     sopsFile = ../../modules/nixos/server/secrets.yaml;
     key = "github_runner_token";
@@ -121,6 +124,7 @@
     url = "https://github.com/nathanregner/nix-config";
     tokenFile = config.sops.secrets.github-runner-token.path;
     replace = true;
+    workDir = "/tmp/nix-config";
   };
 
   # This value determines the NixOS release from which the default