diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..bad35c0
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,60 @@
+name: CI
+
+on:
+  pull_request:
+    branches:
+      - main
+      - master
+
+jobs:
+  check-base:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build base image
+        run: docker build ./images/base
+
+  check-nix:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Cache Nix store
+        uses: actions/cache@v4
+        with:
+          path: |
+            /nix/store
+            ~/.cache/nix
+          key: nix-${{ runner.os }}-${{ hashFiles('images/nix/flake.lock') }}
+          restore-keys: |
+            nix-${{ runner.os }}-
+
+      - name: Generate flake.lock if missing
+        run: |
+          if [ ! -f images/nix/flake.lock ]; then
+            nix flake lock ./images/nix
+          fi
+
+      - name: Build nix image
+        run: nix build ./images/nix#dockerImage
+
+  check-devops:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build devops image
+        run: docker build ./images/devops --build-arg BASE_IMAGE=ubuntu:noble
diff --git a/images/nix/flake.nix b/images/nix/flake.nix
index 34a85db..b2b0520 100644
--- a/images/nix/flake.nix
+++ b/images/nix/flake.nix
@@ -39,11 +39,6 @@ auth sufficient pam_rootok.so
 password requisite pam_unix.so nullok yescrypt
 session required pam_unix.so
         '')
-        # Base sudoers file — required for sudo to run and load drop-ins
-        (writeTextDir "etc/sudoers" ''
-root ALL=(ALL:ALL) ALL
-@includedir /etc/sudoers.d
-        '')
       ];
 
       # Nix configuration with flakes enabled
@@ -211,10 +206,13 @@ eval "$(direnv hook bash)"
             # nixpkgs deliberately strips it from the Nix store; fakeroot
             # records the permission and tar --hard-dereference preserves
             # it in the Docker layer.
-            chmod 4755 ./nix/store/*-sudo-*/bin/sudo
+            chmod 4755 ./bin/sudo
 
-            # Ensure sudoers files have correct ownership and permissions
-            # (sudo refuses to run if these are group/world writable)
+            # Replace the sudo package's default /etc/sudoers with our own.
+            # symlinkJoin keeps the sudo package's version (which may not
+            # include @includedir), so we overwrite it here.
+            rm -f ./etc/sudoers
+            printf '%s\n' 'root ALL=(ALL:ALL) ALL' '@includedir /etc/sudoers.d' > ./etc/sudoers
             chmod 0440 ./etc/sudoers
             chown 0:0 ./etc/sudoers
             chmod 0440 ./etc/sudoers.d/nopasswd