diff --git a/.github/workflows/nodes.yml b/.github/workflows/nodes.yml
index 92486cdd..8b09d2d4 100644
--- a/.github/workflows/nodes.yml
+++ b/.github/workflows/nodes.yml
@@ -130,8 +130,8 @@ jobs:
         command: ci-build-cache
         quiet: false
         stdin: ${{ runner.temp }}/ci.build.cache
-  extern:
-    name: nodes-extern
+  extern-test:
+    name: nodes-extern-test
     runs-on: ubuntu-latest
     steps:
     - id: checkout
@@ -146,7 +146,7 @@ jobs:
       name: nix test dirty
       uses: arcnmx/ci/actions/nix/run@v0.7
       with:
-        attrs: ci.job.extern.run.test
+        attrs: ci.job.extern-test.run.test
         command: ci-build-dirty
         quiet: false
         stdout: ${{ runner.temp }}/ci.build.dirty
@@ -154,7 +154,7 @@ jobs:
       name: nix test build
       uses: arcnmx/ci/actions/nix/run@v0.7
       with:
-        attrs: ci.job.extern.run.test
+        attrs: ci.job.extern-test.run.test
         command: ci-build-realise
         ignore-exit-code: true
         quiet: false
@@ -165,7 +165,7 @@ jobs:
       name: nix test results
       uses: arcnmx/ci/actions/nix/run@v0.7
       with:
-        attrs: ci.job.extern.run.test
+        attrs: ci.job.extern-test.run.test
         command: ci-build-summarise
         quiet: false
         stdin: ${{ runner.temp }}/ci.build.dirty
@@ -177,7 +177,7 @@ jobs:
       name: nix test cache
       uses: arcnmx/ci/actions/nix/run@v0.7
       with:
-        attrs: ci.job.extern.run.test
+        attrs: ci.job.extern-test.run.test
         command: ci-build-cache
         quiet: false
         stdin: ${{ runner.temp }}/ci.build.cache
@@ -283,6 +283,57 @@ jobs:
         command: ci-build-cache
         quiet: false
         stdin: ${{ runner.temp }}/ci.build.cache
+  kuwubernetes:
+    name: nodes-kuwubernetes
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.kuwubernetes.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.kuwubernetes.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.kuwubernetes.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.kuwubernetes.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
   litterbox:
     name: nodes-litterbox
     runs-on: ubuntu-latest
diff --git a/ci/actions-test.sh b/ci/actions-test.sh
index 4416f8f8..8a4d545a 100644
--- a/ci/actions-test.sh
+++ b/ci/actions-test.sh
@@ -10,6 +10,7 @@ fi
 NIX_BUILD_ARGS=(
 	--show-trace
 )
+NIX_BUILD_ARGS_ASYNC=()
 
 init_nfargs() {
 	nflinksuffix="$1"
@@ -44,16 +45,31 @@ for nfsystem in "${NF_NIX_SYSTEMS[@]}"; do
 	nfinstallable="${NF_CONFIG_ROOT}#nixosConfigurations.${nfsystem}.config.system.build.toplevel"
 	init_nfargs "-$nfsystem"
 
-	if [[ -n ${NF_ACTIONS_TEST_ASYNC-} ]]; then
-		NIX_BUILD_ARGS+=("$nfinstallable")
+	nfwarn=
+	if [[ " ${NF_NIX_SYSTEMS_WARN[*]} " = *" $nfsystem "* ]]; then
+		nfwarn=1
+	fi
+
+	if [[ -n ${NF_ACTIONS_TEST_ASYNC-} && -z $nfwarn ]]; then
+		NIX_BUILD_ARGS_ASYNC+=("$nfinstallable")
 		continue
 	fi
 
 	echo "building ${nfsystem}..." >&2
+	echo >&2
 
+	nfbuildexit=0
 	nix build "$nfinstallable" \
 		"${nfargs[@]}" \
-		"$@"
+		"$@" || nfbuildexit=$?
+
+	if [[ $nfbuildexit -ne 0 ]]; then
+		if [[ -n $nfwarn ]]; then
+			echo "build failure allowed for ${nfsystem}, ignoring..." >&2
+			continue
+		fi
+		exit $nfbuildexit
+	fi
 
 	nfgc
 done
@@ -62,6 +78,7 @@ if [[ -n ${NF_ACTIONS_TEST_ASYNC-} ]]; then
 	init_nfargs ""
 	nix build \
 		"${nfargs[@]}" \
+		"${NIX_BUILD_ARGS_ASYNC[@]}" \
 		"$@"
 
 	nfgc
diff --git a/ci/nix.nix b/ci/nix.nix
index 391ad4c1..e7f3f5ef 100644
--- a/ci/nix.nix
+++ b/ci/nix.nix
@@ -4,16 +4,5 @@
       "nodes.nix"
       "flake-cron.nix"
     ];
-    nixosSystems = [
-      "ct"
-      "hakurei"
-      "reimu"
-      "aya"
-      "utsuho"
-      "tei"
-      "litterbox"
-      "keycloak"
-      "mediabox"
-    ];
   };
 }
diff --git a/ci/nodes.nix b/ci/nodes.nix
index 50472031..abc4a7bb 100644
--- a/ci/nodes.nix
+++ b/ci/nodes.nix
@@ -24,15 +24,14 @@ with lib; {
   };
 
   jobs = let
-    inherit ((import ./nix.nix).ci) nixosSystems;
+    enabledSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.lib.systems;
   in
-    mapAttrs' (k: nameValuePair "${k}") (genAttrs nixosSystems (host: {
-      tasks.${host}.inputs = channels.nixfiles.nixosConfigurations.${host}.config.system.build.toplevel;
-    })) // {
-      extern = {
-        tasks.test.inputs = channels.nixfiles.nixosConfigurations.extern-test.config.system.build.toplevel;
+    mapAttrs' (name: system: nameValuePair "${name}" {
+      tasks.system = {
+        inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel;
+        warn = system.config.ci.allowFailure;
       };
-    };
+    }) enabledSystems;
 
   ci.gh-actions.checkoutOptions.submodules = false;
   cache.cachix.arc = {
diff --git a/modules/system/ci.nix b/modules/system/ci.nix
new file mode 100644
index 00000000..17e0a074
--- /dev/null
+++ b/modules/system/ci.nix
@@ -0,0 +1,43 @@
+{
+  name,
+  config,
+  lib,
+  inputs,
+  ...
+}: let
+  inherit (inputs.self.lib.lib) domain;
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.modules) mkIf mkOptionDefault;
+in {
+  options.ci = with lib.types; {
+    enable = mkEnableOption "build via CI" // {
+      default = config.type == "NixOS";
+    };
+    allowFailure = mkOption {
+      type = bool;
+      default = false;
+    };
+  };
+  config = {
+    deploy = let
+      nixos = config.built;
+    in {
+      sshUser = mkOptionDefault "root";
+      user = mkOptionDefault "root";
+      sshOpts = mkIf (config.type == "NixOS") (
+        mkOptionDefault ["-p" "${builtins.toString (builtins.head nixos.config.services.openssh.ports)}"]
+      );
+      autoRollback = mkOptionDefault true;
+      magicRollback = mkOptionDefault true;
+      fastConnection = mkOptionDefault false;
+      hostname = mkOptionDefault "${name}.local.${domain}";
+      profiles.system = {
+        user = "root";
+        path = let
+          inherit (inputs.self.legacyPackages.${config.system}.deploy-rs) activate;
+        in
+          activate.nixos nixos;
+      };
+    };
+  };
+}
diff --git a/packages/default.nix b/packages/default.nix
index c9c1edfd..7ed28dd7 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -20,6 +20,15 @@
     NF_NIX_WHITELIST_DIRS=(${string.concatMapSep " " string.escapeShellArg fmt.nix.whitelistDirs})
     NF_NIX_WHITELIST_FILES=(${string.concatMapSep " " string.escapeShellArg fmt.nix.whitelist})
   '';
+  exportsSystems = let
+    inherit (inputs.self.lib) systems;
+    nixosSystems = set.filter (_: system: system.config.ci.enable) systems;
+    warnSystems = set.filter (_: system: system.config.ci.allowFailure) nixosSystems;
+    toSystems = systems: string.concatMapSep " " string.escapeShellArg (set.keys systems);
+  in ''
+    NF_NIX_SYSTEMS=(${toSystems nixosSystems})
+    NF_NIX_SYSTEMS_WARN=(${toSystems warnSystems})
+  '';
   output = {
     inherit
       (pkgs.buildPackages)
@@ -72,7 +81,7 @@
       '';
     nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" ''
       ${exports}
-      NF_NIX_SYSTEMS=(${string.concatMapSep " " string.escapeShellArg ci.nixosSystems})
+      ${exportsSystems}
       source ${../ci/actions-test.sh}
     '';
     nf-update = pkgs.writeShellScriptBin "nf-update" ''
diff --git a/systems/kuwubernetes/default.nix b/systems/kuwubernetes/default.nix
index 8182fe80..f241e260 100644
--- a/systems/kuwubernetes/default.nix
+++ b/systems/kuwubernetes/default.nix
@@ -4,6 +4,7 @@ _: {
   modules = [
     ./nixos.nix
   ];
+  ci.allowFailure = true;
   proxmox = {
     vm = {
       id = 201;
diff --git a/systems/litterbox/default.nix b/systems/litterbox/default.nix
index cb8a7a98..b04a24ed 100644
--- a/systems/litterbox/default.nix
+++ b/systems/litterbox/default.nix
@@ -4,6 +4,7 @@ _: {
   ];
   arch = "x86_64";
   type = "NixOS";
+  ci.allowFailure = true;
   modules = [
     ./nixos.nix
   ];
diff --git a/systems/tewi/default.nix b/systems/tewi/default.nix
index 4ce86c3b..78badeb0 100644
--- a/systems/tewi/default.nix
+++ b/systems/tewi/default.nix
@@ -1,6 +1,7 @@
 _: {
   arch = "x86_64";
   type = "NixOS";
+  ci.enable = false;
   modules = [
     ./nixos.nix
   ];