diff --git a/README.md b/README.md
index 4e21a30..8d5da60 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
   雪定<rp>(</rp><rt>せってい</rt><rp>)</rp>
 </ruby>
 </h1>
-Collection of my personal Nix configurations and opinionated NixOS, nix-darwin, home-manager, and nilla modules.
+Collection of my personal Nix configurations and opinionated NixOS, nix-darwin, home-manager, and flake-parts modules.
 
 > [!CAUTION]
 > I tried to make the modules in this repository useful to others without having
@@ -25,12 +25,13 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin,
 - modules - options which in principle should be reusable by others
   - system - my opinionated nixos/nix-darwin modules
   - home - my opinionated home-manager modules
-  - nilla - nilla modules
+  - flake - flake-parts modules
 - services - configs for services I self-host
 - secrets - agenix secrets
 - wrappers - nix packages wrapped with my configs (see:
   [wrapper-manager](https://github.com/viperML/wrapper-manager))
 - assets - miscellaneous values reused throughout my config
+- effects.nix - hercules-ci configuration
 
 ## Code guidelines
 
@@ -54,8 +55,9 @@ clean, maintainable, and reusable.
 
 Sorted rougly by priority
 
-- get rid of flakes completely
 - bring back ci (sorta done)
-- automatic deploys (either push or pull, to be decided)
+- hercules-ci effects for deploying machines on update (if configuration is
+  valid)
+- fix disko
 - make the configuration truly declarative (to a reasonable degree)
 - themeing solution
diff --git a/effects.nix b/effects.nix
new file mode 100644
index 0000000..aa9906a
--- /dev/null
+++ b/effects.nix
@@ -0,0 +1,102 @@
+{
+  config,
+  lib,
+  withSystem,
+  self,
+  ...
+}:
+let
+  collectFlakeOutputs =
+    { config, pkgs }:
+    let
+      inherit (pkgs) lib;
+      collectDrvs =
+        prefix: attrs:
+        let
+          drvs = lib.pipe attrs [
+            (lib.filterAttrs (_: lib.isDerivation))
+            (lib.mapAttrsToList (
+              name: drv: {
+                name = lib.concatStringsSep "." (prefix ++ [ name ]);
+                inherit drv;
+              }
+            ))
+          ];
+          recursed = lib.pipe attrs [
+            (lib.filterAttrs (
+              _: val: (!lib.isDerivation val) && (lib.isAttrs val) && (val.recurseForDerivations or true)
+            ))
+            (lib.mapAttrsToList (name: collectDrvs (prefix ++ [ name ])))
+          ];
+        in
+        drvs ++ (lib.flatten recursed);
+      rootOutputs = builtins.removeAttrs config.onPush.default.outputs [ "effects" ];
+    in
+    collectDrvs [ ] rootOutputs;
+in
+{
+  defaultEffectSystem = "aarch64-linux";
+
+  hercules-ci = {
+    flake-update = {
+      enable = true;
+      when.dayOfWeek = "Mon";
+    };
+  };
+
+  herculesCI = herculesCI: {
+    onPush.default = {
+      outputs.effects = {
+        pin-cache = withSystem config.defaultEffectSystem (
+          { pkgs, hci-effects, ... }:
+          let
+            collected = collectFlakeOutputs {
+              inherit (herculesCI) config;
+              inherit pkgs;
+            };
+            cachixCommands = lib.concatMapStringsSep "\n" (
+              { name, drv }: "cachix pin nrabulinski ${lib.escapeShellArg name} ${lib.escapeShellArg drv}"
+            ) collected;
+          in
+          hci-effects.runIf (herculesCI.config.repo.branch == "main") (
+            hci-effects.mkEffect {
+              secretsMap."cachix-token" = "cachix-token";
+              inputs = [ pkgs.cachix ];
+              userSetupScript = ''
+                cachix authtoken $(readSecretString cachix-token .token)
+              '';
+              # Discarding the context is fine here because we don't actually want to build those derivations.
+              # They have already been built as part of this job,
+              # we only want to pin them to make sure cachix doesn't GC them.
+              effectScript = builtins.unsafeDiscardStringContext cachixCommands;
+            }
+          )
+        );
+      };
+    };
+  };
+
+  perSystem =
+    { pkgs, lib, ... }:
+    rec {
+      legacyPackages.outputsList =
+        let
+          config = self.herculesCI {
+            primaryRepo = { };
+            herculesCI = { };
+          };
+        in
+        collectFlakeOutputs { inherit config pkgs; };
+
+      legacyPackages.github-matrix =
+        let
+          systems = lib.groupBy ({ drv, ... }: drv.system) legacyPackages.outputsList;
+        in
+        lib.concatMapStringsSep "\n" (
+          { name, value }:
+          ''
+            ${name}=${builtins.toJSON (map (d: d.name) value)}
+          ''
+        ) (lib.attrsToList systems);
+    };
+}
diff --git a/hosts/hijiri/skhd.nix b/hosts/hijiri/skhd.nix
index 4454cad..fd7f9c3 100644
--- a/hosts/hijiri/skhd.nix
+++ b/hosts/hijiri/skhd.nix
@@ -4,7 +4,7 @@
     enable = true;
     skhdConfig =
       let
-        spaceCount = 9;
+        spaceCount = 6;
         spaceBindings = lib.genList (
           i:
           let
diff --git a/modules/system/default.nix b/modules/system/default.nix
index 0c450a0..4b82bd1 100644
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@@ -22,6 +22,7 @@
     (import ./tailscale.nix { inherit isLinux; })
     (import ./containers.nix { inherit isLinux; })
     ./unfree.nix
+    (import ./hercules.nix { inherit isLinux; })
     (import ./github-runner.nix { inherit isLinux; })
     (import ./incus.nix { inherit isLinux; })
     (import ./monitoring.nix { inherit isLinux; })
diff --git a/modules/system/hercules.nix b/modules/system/hercules.nix
new file mode 100644
index 0000000..a5fba52
--- /dev/null
+++ b/modules/system/hercules.nix
@@ -0,0 +1,47 @@
+{ isLinux }:
+{
+  config,
+  lib,
+  ...
+}:
+let
+  options = {
+    settei.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration";
+  };
+
+  herculesUser =
+    if isLinux then
+      config.systemd.services.hercules-ci-agent.serviceConfig.User
+    else
+      config.launchd.daemons.hercules-ci-agent.serviceConfig.UserName;
+in
+{
+  _file = ./hercules.nix;
+
+  inherit options;
+
+  config = lib.mkIf config.settei.hercules.enable {
+    age.secrets.hercules-token = {
+      file = ../../../secrets/hercules-token.age;
+      owner = herculesUser;
+    };
+    age.secrets.hercules-cache = {
+      file = ../../../secrets/hercules-cache.age;
+      owner = herculesUser;
+    };
+    age.secrets.hercules-secrets = {
+      file = ../../../secrets/hercules-secrets.age;
+      owner = herculesUser;
+    };
+
+    services.hercules-ci-agent = {
+      enable = true;
+      settings = {
+        clusterJoinTokenPath = config.age.secrets.hercules-token.path;
+        concurrentTasks = lib.mkDefault 4;
+        binaryCachesPath = config.age.secrets.hercules-cache.path;
+        secretsJsonPath = config.age.secrets.hercules-secrets.path;
+      };
+    };
+  };
+}
diff --git a/modules/system/sane-defaults.nix b/modules/system/sane-defaults.nix
index 20a4bab..ae4a097 100644
--- a/modules/system/sane-defaults.nix
+++ b/modules/system/sane-defaults.nix
@@ -62,11 +62,15 @@ let
             "https://cache.nrab.lol"
             "https://cache.garnix.io"
             "https://nix-community.cachix.org"
+            "https://hyprland.cachix.org"
+            "https://hercules-ci.cachix.org"
             "https://nrabulinski.cachix.org"
           ];
           extra-trusted-public-keys = [
+            "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
             "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
             "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+            "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
             "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic="
             "cache.nrab.lol-1:CJl1TouOyuJ1Xh4tZSXLwm3Upt06HzUNZmeyuEB9EZg="
           ];