diff --git a/flake.nix b/flake.nix
index f88949e..111aad3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -47,6 +47,52 @@
           ...
         }:
         {
+          checks = {
+            test-template-bad-readme =
+              pkgs.runCommand "test-bad-readme"
+                {
+                  buildInputs = [
+                    pkgs.nix
+                  ];
+                  __noChroot = true;
+                  NIX_CONFIG = "experimental-features = nix-command flakes";
+                }
+                ''
+                  mkdir -p $TMPDIR/home
+                  export HOME=$TMPDIR/home
+                  # cd $tmp
+                  nix flake init --template ${self}#default
+                  echo "bad _markdown*" > README.md
+                  if ! nix flake check; then
+                    touch $out
+                  else
+                    echo "Test failed: nix flake check succeeded unexpectedly"
+                    exit 1
+                  fi
+                '';
+            test-template-good-readme =
+              pkgs.runCommand "test-good-readme"
+                {
+                  buildInputs = [
+                    pkgs.nix
+                  ];
+                  __noChroot = true;
+                  NIX_CONFIG = "experimental-features = nix-command flakes";
+                }
+                ''
+                  mkdir -p $TMPDIR/home
+                  export HOME=$TMPDIR/home
+                  # cd $tmp
+                  nix flake init --template ${self}#default
+                  echo "good *markdown*" > README.md
+                  if nix flake check; then
+                    touch $out
+                  else
+                    echo "Test failed: nix flake check failed unexpectedly"
+                    exit 1
+                  fi
+                '';
+          };
           devShells.default = pkgs.mkShell {
             packages = [
               # keep-sorted start
diff --git a/templates/base/.github/workflows/ci.yml b/templates/base/.github/workflows/ci.yml
new file mode 100644
index 0000000..f4ff3fa
--- /dev/null
+++ b/templates/base/.github/workflows/ci.yml
@@ -0,0 +1,22 @@
+name: CI
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+jobs:
+  DeterminateCI:
+    uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
+    permissions:
+      id-token: "write"
+      contents: "read"
+    with:
+      fail-fast: false
+  flake-checker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check Nix flake Nixpkgs inputs
+        uses: DeterminateSystems/flake-checker-action@v9
diff --git a/templates/base/.github/workflows/nix_maintenance.yml b/templates/base/.github/workflows/nix_maintenance.yml
new file mode 100644
index 0000000..41a2484
--- /dev/null
+++ b/templates/base/.github/workflows/nix_maintenance.yml
@@ -0,0 +1,24 @@
+name: Maintenance
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * 0" # runs weekly on Sunday at 01:00
+jobs:
+  nix-maintenance:
+    name: Nix Maintenance
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+        with:
+          determinate: true
+      - uses: DeterminateSystems/flakehub-cache-action@main
+      - uses: DeterminateSystems/update-flake-lock@main
+        with:
+          pr-title: "Update flake.lock"
+          pr-labels: |
+            dependencies
+            automated
+      - uses: DeterminateSystems/flake-checker-action@main
+        with:
+          fail-mode: true