diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8104149..c40fdf4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,8 +1,12 @@
 name: CI
 on:
   push:
+defaults:
+  run:
+    shell: nix develop --command bash -c "{0}"
 env:
-  ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}
+  CACHE_NAME: qois
+  CACHE_REPOSITORY: qois:qois-infrastructure
 jobs:
   build:
     runs-on: nix
@@ -12,20 +16,20 @@ jobs:
         with:
           token: ${{ secrets.CI_TOKEN }}
           lfs: false
-      - name: Use attic cache
-        run: nix run .#cache use
-      - name: Build
+      - name: Setup Attic Cache
+        env:
+          SERVER: https://attic.qo.is/
+          ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}
         run: |
-          nix build --max-jobs 12 --cores 12
-          nix run .#cache push
-      - name: Run Checks
-        run: nix flake check
+          attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
+          attic use "$CACHE_REPOSITORY"
+      - name: Run Builds and Checks
+        run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY"
       - name: Deploy Docs
         if: success() && github.ref == 'refs/heads/main'
         run: |
           mkdir ~/.ssh/
           echo -e "Host lindberg-webapps.backplane.net.qo.is\n    StrictHostKeyChecking no" >> ~/.ssh/config
           (umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519)
-          # Remote build might be neccessary due to non-wheel nix users signing restrictions.
-          # However, the build should come from the cache anyway.
-          nix develop --command deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
+          deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
+          # Remote build is neccessary due to non-wheel nix users signing restrictions. However, the build should come from the cache anyway.
diff --git a/README.md b/README.md
index f6f8cd4..bd6f395 100644
--- a/README.md
+++ b/README.md
@@ -11,61 +11,60 @@ Check out the current [rendered documentation](https://docs-ops.qo.is).
 `nixos-modules`: Custom modules (e.g. for vpn and routers)\
 `private`: Private configuration values (like users, sops-encrypted secrets and keys)
 
-## Building
+## Development
 
 This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes)
 
-- `nix build`\
-  Build all host configurations and docs
-- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`\
-  Build a single host configuration with
-- `nix build .#docs`\
-  Build the documentation website
+- `nix flake check`\
+  Execute the project's checks, which includes building all configurations and packages. See [Tests](./checks/README.md).
 
-## Development
+- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`\
+  Build a single host configuration.
+
+- `nix build .#docs`\
+  Build the documentation website.
 
 - `nix develop`\
   Development environment
-- `nix flake check`\
-  Execute the project's checks
+
 - `nix fmt`\
   Autofix formatting
 
-### Working with the private submodule
+### Secrets and `private` Submodule
 
-To clone with submodules (if you have access):
+Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix) and a git submodule in `private`.\
+Make sure you have the submodule correctly available. To clone with submodules (if you have access):
 
 ```bash
 git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
+# See below for how to commit changes.
 ```
 
-On changes:
-
-```bash
-git add private
-nix flake lock --update-input private
-```
-
-## Deployment
-
-`nix run .#deploy-qois`
-
-See [Deployment](deploy/README.md) for details.
-
-## Secrets
-
-Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix).
-
 Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords),
 `private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and
 `private/nixos-configurations/<hostname>/secrets.sops.yaml` (host specific secrets).
 
-Usage:
+To modify secrets:
 
 ```bash
 sops $file # To edit a file
 sops-rekey # To rekey all secrets, e.g. after a key rollover or new host
 ```
 
-After changing secrets, don't forget to push the sub-repository and run
-`nix flake update private` in the infrastructure repository to use the changes in builds.
+After changing secrets:
+
+```bash
+# Commit changes in subrepo
+pushd private
+  git commit
+  git push
+  nix flake prefetch . # Make subrepo available in nix store. Required until nix 2.27.
+popd
+
+git add private
+nix flake lock --update-input private
+```
+
+## Deployment
+
+See [Deployment](deploy/README.md) for details.
diff --git a/checks/README.md b/checks/README.md
index 8288d07..d8f6db8 100644
--- a/checks/README.md
+++ b/checks/README.md
@@ -1,5 +1,13 @@
 # Tests
 
+`nix flake check` currently:
+
+- builds all nixos-configurations
+- builds all packages
+- runs all [nixos-module tests](#module-tests)
+- checks all deployment configurations
+- checks repository formatting.
+
 ## Module Tests
 
 We test our nixos modules with [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests).
diff --git a/dev-shells/default.nix b/dev-shells/default.nix
index ee3a977..fc8bc5a 100644
--- a/dev-shells/default.nix
+++ b/dev-shells/default.nix
@@ -29,7 +29,6 @@ in
       pre-commit-check.enabledPackages
       ++ [ vscodium-with-extensions ]
       ++ (with self.packages.${system}; [
-        cache
         deploy-qois
         sops
         sops-rekey
@@ -37,14 +36,15 @@ in
       ++ (with pkgs; [
         attic-client
         deploy-rs
+        jq
+        nix-fast-build
         nixVersions.git
         nixd
         nixfmt-rfc-style
         nixos-anywhere
-        ssh-to-age
         pssh
+        ssh-to-age
         yq
-        jq
       ]);
     LANG = "C.UTF-8";
     LC_ALL = "C.UTF-8";
diff --git a/packages/cache/default.nix b/packages/cache/default.nix
deleted file mode 100644
index 5a7c983..0000000
--- a/packages/cache/default.nix
+++ /dev/null
@@ -1,42 +0,0 @@
-{
-  attic-client,
-  findutils,
-  gnugrep,
-  writeShellApplication,
-  ...
-}:
-writeShellApplication {
-  name = "cache";
-  meta.description = "Access the infrastructure's attic cache. Mostly used in CI.";
-  runtimeInputs = [
-    attic-client
-    findutils
-    gnugrep
-  ];
-  text = ''
-    SERVER="https://attic.qo.is/"
-    CACHE_NAME="qois"
-    CACHE_REPO="$CACHE_NAME:qois-infrastructure"
-    if [ -z "$ATTIC_AUTH_TOKEN" ]; then
-      echo "Please set the \$ATTIC_AUTH_TOKEN environment variable to access the cache."
-      exit 3
-    fi
-    attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
-
-    case "$1" in
-      use)
-        attic use "$CACHE_REPO"
-      ;;
-      watch)
-        attic watch-store "$CACHE_REPO"
-      ;;
-      push)
-        RESULT_PATH="./result"
-        # Add build dependencies as well
-        nix-store -qR --include-outputs "$(nix-store -qd $RESULT_PATH)"   | grep -v '\.drv$' \
-          | xargs attic push "$CACHE_REPO" "$RESULT_PATH"
-      ;;
-
-    esac
-  '';
-}