diff --git a/.forgejo/workflows/nix.yaml b/.forgejo/workflows/nix.yaml
new file mode 100644
index 0000000..5f64b2b
--- /dev/null
+++ b/.forgejo/workflows/nix.yaml
@@ -0,0 +1,125 @@
+name: nix
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+  schedule:
+    - cron: 0 0 * * 1
+
+env:
+  REGISTRY: git.nexveridian.com
+  IMAGE_NAME: ${{ github.repository }}
+  NIX_CONFIG: "experimental-features = nix-command flakes"
+  NIX_PATH: "nixpkgs=channel:nixos-unstable"
+  CONTAINER_TOKEN: ${{ secrets.CONTAINER_REGISTRY_TOKEN }}
+
+jobs:
+  build:
+    runs-on: nix
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.nexveridian.com ${{ secrets.ATTIC_TOKEN }} || true
+      - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create docker-nixpkgs || true
+      - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache configure docker-nixpkgs -- --priority 30 || true
+      - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use docker-nixpkgs || true
+
+      - name: Install Node.js
+        run: |
+          mkdir -p ~/.local/bin
+          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs
+          ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node
+          ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - uses: actions/checkout@v4
+
+      - name: Install skopeo
+        run: |
+          mkdir -p ~/.local/bin
+          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
+          ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Build Nix package
+        run: nix-build -A action-attic
+
+      - name: Prepare repository variables
+        run: |
+          echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}
+          echo "OWNER=${GITHUB_REPOSITORY_OWNER,,}" >> ${GITHUB_ENV}
+          # Extract just the repository name (everything after the last slash)
+          REPO_NAME=${GITHUB_REPOSITORY##*/}
+          echo "IMAGE_NAME=action-attic" >> ${GITHUB_ENV}
+
+      - name: Setup skopeo policy and push image
+        run: |
+          # configure container policy to accept insecure registry
+          mkdir -p ~/.config/containers
+          cat > ~/.config/containers/policy.json <<EOF
+          {
+            "default": [{"type":"insecureAcceptAnything"}]
+          }
+          EOF
+
+          # ensure all required directories exist with proper permissions
+          mkdir -p /tmp/skopeo /var/tmp ~/.local/share/containers
+          chmod 755 /tmp/skopeo /var/tmp || true
+
+          # set multiple environment variables for skopeo temporary directories
+          export TMPDIR=/tmp/skopeo
+          export TMP=/tmp/skopeo
+          export TEMP=/tmp/skopeo
+          export XDG_RUNTIME_DIR=/tmp/skopeo
+
+          # The Nix build creates a compressed tar.gz file, we need to extract it first
+          cd /tmp/skopeo
+          cp ${GITHUB_WORKSPACE}/result ./docker-image.tar.gz
+          gunzip docker-image.tar.gz
+
+          # Create authentication file for skopeo
+          mkdir -p ~/.docker
+          cat > ~/.docker/config.json <<EOF
+          {
+            "auths": {
+              "${{ env.REGISTRY }}": {
+                "auth": "$(echo -n "${{ github.actor }}:${{ env.CONTAINER_TOKEN }}" | base64 -w 0)"
+              }
+            }
+          }
+          EOF
+
+          # Also create auth for containers directory
+          mkdir -p ~/.config/containers
+          cp ~/.docker/config.json ~/.config/containers/auth.json
+
+          # Test registry connectivity
+          skopeo login --username "${{ github.actor }}" --password "${{ env.CONTAINER_TOKEN }}" "${{ env.REGISTRY }}"
+
+          # Push image using Personal Access Token
+          skopeo copy \
+            --dest-tls-verify=false \
+            --tmpdir /tmp/skopeo \
+            --dest-creds "${{ github.actor }}:${{ env.CONTAINER_TOKEN }}" \
+            docker-archive:/tmp/skopeo/docker-image.tar \
+            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.IMAGE_NAME }}:latest
+
+      - name: Push to attic
+        if: always()
+        run: |
+          valid_paths=""
+          for path in /nix/store/*/; do
+            if nix path-info "$path" >/dev/null 2>&1; then
+              valid_paths="$valid_paths $path"
+            fi
+          done
+
+          if [ -n "$valid_paths" ]; then
+            for i in {1..10}; do
+              nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push docker-nixpkgs $valid_paths && break || [ $i -eq 5 ] || sleep 5
+            done
+          fi