diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 96691791..a4bfa7fc 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -40,6 +40,7 @@ jobs:
       machines: ${{vars.MACHINES || env.default_machines}}
       package: ${{vars.PACKAGE || !contains(github.ref, 'refs/pull/')}}
       publish: ${{vars.PUBLISH || !contains(github.ref, 'refs/pull/')}}
+      build_nix: ${{vars.BUILD_NIX || !contains(github.ref, 'refs/pull/')}}
       build_pkgs: ${{vars.BUILD_PKGS || github.ref == 'refs/heads/main' || contains(github.ref, 'tags/v')}}
       check_pkgs: ${{vars.CHECK_PKGS || 'false'}}
       complement: ${{vars.COMPLEMENT || 'true'}}
@@ -168,6 +169,7 @@ jobs:
     needs: [init, lint]
     uses: ./.github/workflows/test.yml
     with:
+      build_nix: ${{fromJSON(needs.init.outputs.build_nix)}}
       rust_sdk_integration: ${{fromJSON(needs.init.outputs.rust_sdk_integration)}}
       complement: ${{fromJSON(needs.init.outputs.complement)}}
       complement_runner: ${{needs.init.outputs.complement_runner}}
@@ -223,6 +225,7 @@ jobs:
       release_url: ${{needs.init.outputs.release_url}}
       check_pkgs: ${{needs.init.outputs.check_pkgs}}
       build_pkgs: ${{needs.init.outputs.build_pkgs}}
+      build_nix: ${{fromJSON(needs.init.outputs.build_nix)}}
       cargo_profiles: ${{needs.init.outputs.cargo_profiles}}
       feat_sets: ${{needs.init.outputs.feat_sets}}
       rust_toolchains: ${{needs.init.outputs.rust_toolchains}}
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 330a9bf6..08574e2d 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -44,6 +44,9 @@ on:
       check_pkgs:
         type: string
         default: 'false'
+      build_nix:
+        type: string
+        default: 'true'
 
 jobs:
   book:
@@ -144,6 +147,41 @@ jobs:
           }
         }
 
+  nix:
+    if: >
+      !failure() && !cancelled()
+      && contains(fromJSON(inputs.feat_sets), fromJSON('["all"]')[0])
+      && contains(fromJSON(inputs.cargo_profiles), fromJSON('["release"]')[0])
+      && contains(fromJSON(inputs.rust_toolchains), fromJSON('["stable"]')[0])
+      && fromJSON(inputs.build_pkgs)
+      && fromJSON(inputs.build_nix)
+      && false
+
+    name: NixOS Package
+    uses: ./.github/workflows/bake.yml
+    with:
+      bake_targets: '["nix"]'
+      cargo_profiles: '["release"]'
+      feat_sets: '["all"]'
+      rust_toolchains: '["stable"]'
+      sys_names: ${{inputs.sys_names}}
+      sys_versions: ${{inputs.sys_versions}}
+      rust_targets: ${{inputs.rust_targets}}
+      sys_targets: ${{inputs.sys_targets}}
+      machines: ${{inputs.machines}}
+      excludes: ${{inputs.excludes}}
+      includes: ${{inputs.includes}}
+      release_url: ${{inputs.release_url}}
+      artifact: >
+        {
+          "nix": {
+            "dst": "tuwunel.drv.tar.zst",
+            "src": "/opt/tuwunel/tuwunel.drv"
+            "mime": "application/zstd",
+            "zstd": 6,
+          },
+        }
+
   pkgs:
     if: >
       !failure() && !cancelled()
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9f29405a..bfb601a3 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -46,6 +46,9 @@ on:
       rust_sdk_integration:
         type: boolean
         default: true
+      build_nix:
+        type: boolean
+        default: true
 
 jobs:
   docs:
@@ -163,6 +166,30 @@ jobs:
           {"sys_target": "x86_64-v4-linux-gnu", "bake_target": "smoke-valgrind"},
         ]
 
+  nix:
+    if: >
+      !failure() && !cancelled()
+      && contains(fromJSON(inputs.cargo_profiles), fromJSON('["release"]')[0])
+      && contains(fromJSON(inputs.complement_feat_sets), fromJSON('["all"]')[0])
+      && contains(fromJSON(inputs.rust_toolchains), fromJSON('["stable"]')[0])
+      && contains(fromJSON(inputs.sys_targets), fromJSON('["x86_64-v1-linux-gnu"]')[0])
+      && fromJSON(inputs.build_nix)
+
+    name: Smoke NixOS
+    uses: ./.github/workflows/bake.yml
+    with:
+      bake_targets: '["smoke-nix"]'
+      cargo_profiles: '["release"]'
+      feat_sets: '["all"]'
+      rust_toolchains: '["stable"]'
+      sys_names: ${{inputs.sys_names}}
+      sys_versions: ${{inputs.sys_versions}}
+      rust_targets: ${{inputs.rust_targets}}
+      sys_targets: '["x86_64-v1-linux-gnu"]'
+      machines: ${{inputs.machines}}
+      excludes: ${{inputs.excludes}}
+      includes: ${{inputs.includes}}
+
   rust-sdk-integration:
     if: >
       !failure() && !cancelled()
diff --git a/docker/Dockerfile.nix b/docker/Dockerfile.nix
new file mode 100644
index 00000000..f9beb623
--- /dev/null
+++ b/docker/Dockerfile.nix
@@ -0,0 +1,87 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS nix-base
+ARG sys_name
+ARG sys_version
+ARG sys_target
+
+WORKDIR /
+COPY --link --from=input . .
+RUN \
+--mount=type=cache,dst=/nix,sharing=shared \
+--mount=type=cache,dst=/root/.cache/nix,sharing=shared \
+--mount=type=cache,dst=/root/.local/state/nix,sharing=shared \
+<<EOF
+	set -eux
+	curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install > nix-install
+	sh ./nix-install --daemon
+	rm nix-install
+EOF
+
+
+FROM nix-base AS build-nix
+ARG sys_name
+ARG sys_version
+ARG sys_target
+
+WORKDIR /usr/src/tuwunel
+COPY --link --from=source /usr/src/tuwunel .
+RUN \
+--mount=type=cache,dst=/nix,sharing=shared \
+--mount=type=cache,dst=/root/.cache/nix,sharing=shared \
+--mount=type=cache,dst=/root/.local/state/nix,sharing=shared \
+<<EOF
+	set -eux
+	nix-build \
+		--cores 0 \
+		--max-jobs $(nproc) \
+		--log-format raw \
+		.
+
+	cp -afRL --copy-contents result /opt/tuwunel
+EOF
+
+
+FROM build-nix AS smoke-nix
+ARG sys_name
+ARG sys_version
+ARG sys_target
+
+WORKDIR /
+COPY --link --from=build-nix . .
+
+WORKDIR /opt/tuwunel
+ENV TUWUNEL_DATABASE_PATH="/tmp/smoketest.db"
+ENV TUWUNEL_LOG="info"
+RUN \
+--mount=type=cache,dst=/nix,sharing=shared \
+--mount=type=cache,dst=/root/.cache/nix,sharing=shared \
+--mount=type=cache,dst=/root/.local/state/nix,sharing=shared \
+<<EOF
+    set -eux
+    bin/tuwunel \
+        -Otest='["smoke"]' \
+        -Oserver_name=\"localhost\" \
+        -Odatabase_path=\"${TUWUNEL_DATABASE_PATH}\"
+
+    rm -rf "${TUWUNEL_DATABASE_PATH}"
+EOF
+
+
+FROM build-nix AS nix-pkg
+ARG sys_name
+ARG sys_version
+ARG sys_target
+
+WORKDIR /
+COPY --link --from=build-nix . .
+
+WORKDIR /usr/src/tuwunel
+RUN \
+--mount=type=cache,dst=/nix,sharing=shared \
+--mount=type=cache,dst=/root/.cache/nix,sharing=shared \
+--mount=type=cache,dst=/root/.local/state/nix,sharing=shared \
+<<EOF
+	set -eux
+    #TODO: extract derivation?
+EOF
diff --git a/docker/bake.hcl b/docker/bake.hcl
index 270dc4d4..ab4985f7 100644
--- a/docker/bake.hcl
+++ b/docker/bake.hcl
@@ -471,11 +471,26 @@ group "smoke" {
     targets = [
         "smoke-version",
         "smoke-startup",
+        #"smoke-nix",
         #"smoke-valgrind",
         #"smoke-perf",
     ]
 }
 
+target "smoke-nix" {
+    name = elem("smoke-nix", [sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("smoke-nix", [sys_name, sys_version, sys_target], "latest"),
+    ]
+    output = ["type=cacheonly,compression=zstd,mode=min,compression-level=${cache_compress_level}"]
+    dockerfile = "${docker_dir}/Dockerfile.nix"
+    target = "smoke-nix"
+    matrix = sys
+    inherits = [
+        elem("build-nix", [sys_name, sys_version, sys_target]),
+    ]
+}
+
 target "smoke-valgrind" {
     name = elem("smoke-valgrind", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
     tags = [
@@ -712,6 +727,7 @@ target "install" {
 
 group "pkg" {
     targets = [
+        "nix",
         "deb",
         "rpm",
         "deb-install",
@@ -823,6 +839,39 @@ target "build-deb" {
     }
 }
 
+target "nix" {
+    name = elem("nix", [sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("nix", [sys_name, sys_version, sys_target], "latest"),
+    ]
+    output = ["type=docker,compression=zstd,mode=min,compression-level=${zstd_image_compress_level}"]
+    target = "nix-pkg"
+    matrix = sys
+    inherits = [
+        elem("build-nix", [sys_name, sys_version, sys_target]),
+    ]
+}
+
+target "build-nix" {
+    name = elem("build-nix", [sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("build-nix", [sys_name, sys_version, sys_target], "latest"),
+    ]
+    output = ["type=cacheonly,compression=zstd,mode=min,compression-level=${cache_compress_level}"]
+    cache_to = ["type=local,compression=zstd,mode=max,compression-level=${cache_compress_level}"]
+    dockerfile = "${docker_dir}/Dockerfile.nix"
+    target = "build-nix"
+    matrix = sys
+    inherits = [
+        elem("builder", [sys_name, sys_version, sys_target]),
+        elem("source", [sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = elem("target:builder", [sys_name, sys_version, sys_target]),
+        source = elem("target:source", [sys_name, sys_version, sys_target]),
+    }
+}
+
 #
 # Unit tests
 #
@@ -1654,6 +1703,7 @@ kitchen_packages = [
     "libssl-dev",
     "libsqlite3-dev",
     "make",
+    "nix-bin",
     "openssl",
     "pkg-config",
     "pkgconf",