diff --git a/terraform/cache.tf b/terraform/cache.tf
index 7a804820..eae14cae 100644
--- a/terraform/cache.tf
+++ b/terraform/cache.tf
@@ -137,6 +137,12 @@ resource "fastly_service_vcl" "cache" {
   name        = local.cache_domain
   default_ttl = 86400
 
+  # https://registry.terraform.io/providers/fastly/fastly/latest/docs/resources/service_vcl#activation-and-staging
+  # activate should not be set to true when stage is also set to true. While this combination will not cause any harm to the service,
+  # there is no logical reason to both stage and activate every set of applied changes.
+  activate = false # set to true to deploy
+  stage    = true  # set to false to remove staging environment
+
   backend {
     address               = "s3.amazonaws.com"
     auto_loadbalance      = false
@@ -174,6 +180,13 @@ resource "fastly_service_vcl" "cache" {
     type      = "REQUEST"
   }
 
+  condition {
+    name      = "is-nar"
+    priority  = 10
+    statement = "beresp.status == 200 && req.url ~ \"^/nar/\" "
+    type      = "CACHE"
+  }
+
   domain {
     name = "cache.nixos.org"
   }
@@ -239,6 +252,12 @@ resource "fastly_service_vcl" "cache" {
     status          = 404
   }
 
+  cache_setting {
+    name            = "cache-nar"
+    cache_condition = "is-nar"
+    ttl             = 31557600 # the maximum. 1 year
+  }
+
   # Authenticate Fastly<->S3 requests. See Fastly documentation:
   # https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket
   snippet {