diff --git a/flakes/common/nix_modules/remote_lio_builds.nix b/flakes/common/nix_modules/remote_lio_builds.nix
index aff5e272..4ef6615c 100644
--- a/flakes/common/nix_modules/remote_lio_builds.nix
+++ b/flakes/common/nix_modules/remote_lio_builds.nix
@@ -14,6 +14,13 @@ in
 {
   nix = lib.mkIf (hasSecret "nix2lio") {
     distributedBuilds = true;
+
+    # Prefer pulling from lio's binary cache when available.
+    settings = {
+      substituters = lib.mkAfter [ "http://lio:5000" ];
+      trusted-public-keys = lib.mkAfter [ "lio:9jKQ2xJyZjD0AWFzMcLe5dg3s8vOJ3uffujbUkBg4ms=" ];
+    };
+
     buildMachines = [
       {
         hostName = "lio";
diff --git a/hosts/lio/configuration.nix b/hosts/lio/configuration.nix
index 934447ee..5c1645be 100644
--- a/hosts/lio/configuration.nix
+++ b/hosts/lio/configuration.nix
@@ -28,6 +28,15 @@
       #   STOP_CHARGE_THRESH_BAT0 = 95;
       # };
     };
+
+    # Binary cache server (drop-in nix-serve replacement)
+    nix-serve = {
+      enable = true;
+      package = pkgs.nix-serve-ng;
+      port = 5000;
+      # openFirewall = true;
+      secretKeyFile = "/var/lib/nix-serve/cache-priv-key.pem";
+    };
   };
 
   # Also allow this key to work for root user, this will let us use this as a remote builder easier