diff --git a/.github/composites/setup-nix/action.yml b/.github/composites/setup-nix/action.yml
new file mode 100644
index 0000000..07ceba4
--- /dev/null
+++ b/.github/composites/setup-nix/action.yml
@@ -0,0 +1,27 @@
+---
+inputs:
+  githubAccessToken:
+    required: true
+  cachixAuthToken:
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Install Nix
+      uses: cachix/install-nix-action@v23
+      with:
+        extra_nix_config: |
+          ## Access token to avoid triggering GitHub's rate limiting.
+          access-tokens = github.com=${{ inputs.githubAccessToken }}
+          ## Accept arbitrary substituters from the flake.
+          accept-flake-config = true
+
+    - name: Setup Nix caches
+      uses: cachix/cachix-action@v12
+      with:
+        name: morsmall
+        ## This auth token will give write access to the cache, meaning that
+        ## everything that happens in CI will be pushed at the end of the job.
+        authToken: "${{ inputs.cachixAuthToken }}"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e8eb05f..133e265 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,12 +26,11 @@ jobs:
         with:
           submodules: true
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@v23
+      - name: Setup Nix
+        uses: ./.github/composites/setup-nix
         with:
-          extra_nix_config: |
-            ## Access token to avoid triggering GitHub's rate limiting.
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+          githubAccessToken: ${{ secrets.GITHUB_TOKEN }}
+          cachixAuthToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: Install dependencies
         run: |
@@ -66,12 +65,11 @@ jobs:
         with:
           submodules: true
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@v23
+      - name: Setup Nix
+        uses: ./.github/composites/setup-nix
         with:
-          extra_nix_config: |
-            ## Access token to avoid triggering GitHub's rate limiting.
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+          githubAccessToken: ${{ secrets.GITHUB_TOKEN }}
+          cachixAuthToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: Build
         run: |
@@ -85,12 +83,11 @@ jobs:
       - name: Check out repository code.
         uses: actions/checkout@v4
 
-      - name: Install Nix
-        uses: cachix/install-nix-action@v23
+      - name: Setup Nix
+        uses: ./.github/composites/setup-nix
         with:
-          extra_nix_config: |
-            ## Access token to avoid triggering GitHub's rate limiting.
-            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+          githubAccessToken: ${{ secrets.GITHUB_TOKEN }}
+          cachixAuthToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: Run flake checks
         run: |