diff --git a/.gitea/scripts/build-and-cache.sh b/.gitea/scripts/build-and-cache.sh
new file mode 100755
index 0000000..974ed35
--- /dev/null
+++ b/.gitea/scripts/build-and-cache.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Configure Attic cache
+attic login local "$ATTIC_ENDPOINT" "$ATTIC_TOKEN"
+attic use local:nixos
+
+# Check flake
+nix flake check --all-systems --print-build-logs --log-format raw --show-trace
+
+# Build all systems
+nix eval .#nixosConfigurations --apply 'cs: builtins.attrNames cs' --json \
+  | jq -r '.[]' \
+  | xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" \
+      --no-link --print-build-logs --log-format raw
+
+# Push to cache (only locally-built paths >= 0.5MB)
+toplevels=$(nix eval .#nixosConfigurations \
+  --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' \
+  --json | jq -r '.[]')
+echo "Found $(echo "$toplevels" | wc -l) system toplevels"
+paths=$(echo "$toplevels" \
+  | xargs nix path-info -r --json \
+  | jq -r '[to_entries[] | select(
+      (.value.signatures | all(startswith("cache.nixos.org") | not))
+      and .value.narSize >= 524288
+    ) | .key] | unique[]')
+echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
+echo "$paths" | xargs attic push local:nixos
diff --git a/.gitea/workflows/auto-update.yaml b/.gitea/workflows/auto-update.yaml
new file mode 100644
index 0000000..9ea9a63
--- /dev/null
+++ b/.gitea/workflows/auto-update.yaml
@@ -0,0 +1,42 @@
+name: Auto Update Flake
+on:
+  schedule:
+    - cron: '0 6 * * *'
+  workflow_dispatch: {}
+
+env:
+  DEBIAN_FRONTEND: noninteractive
+  PATH: /run/current-system/sw/bin/
+  XDG_CONFIG_HOME: ${{ runner.temp }}/.config
+  ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }}
+  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
+
+jobs:
+  auto-update:
+    runs-on: nixos
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: master
+
+      - name: Update flake inputs
+        run: nix flake update --commit-lock-file
+
+      - name: Build and cache
+        run: bash .gitea/scripts/build-and-cache.sh
+
+      - name: Push updated lockfile
+        run: git push
+
+      - name: Notify on failure
+        if: failure()
+        run: |
+          curl -s \
+            -H "Authorization: Bearer ${{ secrets.NTFY_TOKEN }}" \
+            -H "Title: Flake auto-update failed" \
+            -H "Priority: high" \
+            -H "Tags: warning" \
+            -d "Auto-update workflow failed. Check: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" \
+            ntfy.neet.dev/nix-flake-updates
diff --git a/.gitea/workflows/check-flake.yaml b/.gitea/workflows/check-flake.yaml
index 48dee78..e688e95 100644
--- a/.gitea/workflows/check-flake.yaml
+++ b/.gitea/workflows/check-flake.yaml
@@ -6,6 +6,8 @@ env:
   DEBIAN_FRONTEND: noninteractive
   PATH: /run/current-system/sw/bin/
   XDG_CONFIG_HOME: ${{ runner.temp }}/.config
+  ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }}
+  ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
 
 jobs:
   check-flake:
@@ -16,34 +18,5 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Configure Attic cache
-        run: |
-          attic login local "${{ vars.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
-          attic use local:nixos
-
-      - name: Check Flake
-        run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
-
-      - name: Build all systems
-        run: |
-          nix eval .#nixosConfigurations --apply 'cs: builtins.attrNames cs' --json \
-            | jq -r '.[]' \
-            | xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" --no-link --print-build-logs --log-format raw
-
-      - name: Push to cache
-        run: |
-          set -euo pipefail
-          # Get all system toplevel store paths
-          toplevels=$(nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json | jq -r '.[]')
-          echo "Found $(echo "$toplevels" | wc -l) system toplevels"
-          # Expand to full closures, deduplicate, and filter out paths that are:
-          # - already signed by cache.nixos.org (available upstream)
-          # - smaller than 0.5MB (insignificant build artifacts)
-          paths=$(echo "$toplevels" \
-            | xargs nix path-info -r --json \
-            | jq -r '[to_entries[] | select(
-                (.value.signatures | all(startswith("cache.nixos.org") | not))
-                and .value.narSize >= 524288
-              ) | .key] | unique[]')
-          echo "Pushing $(echo "$paths" | wc -l) unique paths to cache"
-          echo "$paths" | xargs attic push local:nixos
+      - name: Build and cache
+        run: bash .gitea/scripts/build-and-cache.sh