diff --git a/.github/workflows/build-nix-image.yml b/.github/workflows/build-nix-image.yml
new file mode 100644
index 0000000000..6554cf6c08
--- /dev/null
+++ b/.github/workflows/build-nix-image.yml
@@ -0,0 +1,101 @@
+name: Build Nix Docker image
+
+on:
+  push:
+    branches:
+      - develop
+    paths:
+      - ".github/workflows/build-nix-image.yml"
+      - "docker/nix.Dockerfile"
+      - "flake.nix"
+      - "flake.lock"
+      - "nix/**"
+  pull_request:
+    paths:
+      - ".github/workflows/build-nix-image.yml"
+      - "docker/nix.Dockerfile"
+      - "flake.nix"
+      - "flake.lock"
+      - "nix/**"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  UBUNTU_VERSION: "20.04"
+  RHEL_VERSION: "9"
+  DEBIAN_VERSION: "bookworm"
+
+jobs:
+  build:
+    name: Build and push Nix image (${{ matrix.distro }})
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        include:
+          - distro: nixos
+          - distro: ubuntu
+          - distro: rhel
+          - distro: debian
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Determine base image
+        id: vars
+        run: |
+          case "${{ matrix.distro }}" in
+            nixos)
+              echo "base_image=nixos/nix:latest" >> $GITHUB_OUTPUT
+              ;;
+            ubuntu)
+              echo "base_image=ubuntu:${UBUNTU_VERSION}" >> $GITHUB_OUTPUT
+              ;;
+            rhel)
+              echo "base_image=registry.access.redhat.com/ubi${RHEL_VERSION}/ubi:latest" >> $GITHUB_OUTPUT
+              ;;
+            debian)
+              echo "base_image=debian:${DEBIAN_VERSION}" >> $GITHUB_OUTPUT
+              ;;
+          esac
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name == 'push'
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: ghcr.io/xrplf/ci/nix-${{ matrix.distro }}
+          tags: |
+            type=sha,prefix=sha-,format=short
+            type=raw,value=latest
+
+      - name: Build and push
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: .
+          file: docker/nix.Dockerfile
+          platforms: linux/amd64
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: BASE_IMAGE=${{ steps.vars.outputs.base_image }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1c0dc94550..1313ad567c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -70,7 +70,11 @@ repos:
     rev: a42085ade523f591dca134379a595e7859986445 # frozen: v9.7.0
     hooks:
       - id: cspell # Spell check changed files
-        exclude: (.config/cspell.config.yaml|^include/xrpl/protocol_autogen/(transactions|ledger_entries)/)
+        exclude: |
+          (?x)^(
+              .config/cspell.config.yaml|
+              include/xrpl/protocol_autogen/(transactions|ledger_entries)/.*
+          )$
       - id: cspell # Spell check the commit message
         name: check commit message spelling
         args:
diff --git a/cspell.config.yaml b/cspell.config.yaml
index 8b8589a8c9..34482d9d8f 100644
--- a/cspell.config.yaml
+++ b/cspell.config.yaml
@@ -63,6 +63,7 @@ words:
   - Bougalis
   - Britto
   - Btrfs
+  - Buildx
   - canonicality
   - changespq
   - checkme
diff --git a/docker/nix.Dockerfile b/docker/nix.Dockerfile
new file mode 100644
index 0000000000..52faa8b8dc
--- /dev/null
+++ b/docker/nix.Dockerfile
@@ -0,0 +1,66 @@
+ARG BASE_IMAGE=nixos/nix:latest
+
+# Nix builder
+FROM nixos/nix:latest AS builder-source
+
+RUN mkdir -p ~/.config/nix && \
+    echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+
+# Copy our source and setup our working dir.
+COPY nix/ci-env.nix /tmp/build/nix/ci-env.nix
+COPY nix/packages.nix /tmp/build/nix/packages.nix
+COPY nix/utils.nix /tmp/build/nix/utils.nix
+COPY flake.nix /tmp/build/
+COPY flake.lock /tmp/build/
+WORKDIR /tmp/build
+
+FROM builder-source AS builder
+
+# Build our Nix CI environment (all build tools in a single store path)
+RUN nix \
+    --option filter-syscalls false \
+    build
+
+# Copy the Nix store closure into a directory. The Nix store closure is the
+# entire set of Nix store values that we need for our build.
+RUN mkdir /tmp/nix-store-closure && \
+    cp -R $(nix-store -qR result/) /tmp/nix-store-closure
+
+# Final image
+FROM ${BASE_IMAGE}
+
+# bash is not located at /bin/bash in nixos/nix, so we need to create a symlink to it.
+RUN if [ -d /nix ]; then \
+        ln -s /root/.nix-profile/bin/bash /bin/bash; \
+    fi
+
+# Use Bash as the default shell for RUN commands, using the options
+# `set -o errexit -o pipefail`, and as the entrypoint.
+SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
+ENTRYPOINT ["/bin/bash"]
+
+# Copy /nix/store and the env symlink tree
+COPY --from=builder /tmp/nix-store-closure /nix/store
+COPY --from=builder /tmp/build/result /nix/ci-env
+
+ENV PATH="/nix/ci-env/bin:$PATH"
+
+RUN <<EOF
+ccache --version
+clang-format --version
+cmake --version
+conan --version
+g++ --version
+gcc --version
+gcovr --version
+git --version
+make --version
+mold --version
+ninja --version
+perl --version
+pkg-config --version
+pre-commit --version
+python3 --version
+run-clang-tidy --help
+vim --version
+EOF
diff --git a/flake.lock b/flake.lock
index fd43f5b683..5ec053975d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1769461804,
-        "narHash": "sha256-6h5sROT/3CTHvzPy9koKBmoCa2eJKh4fzQK8eYFEgl8=",
+        "lastModified": 1777954456,
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b579d443b37c9c5373044201ea77604e37e748c8",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
         "type": "github"
       },
       "original": {
@@ -15,9 +15,27 @@
         "type": "indirect"
       }
     },
+    "nixpkgs-glibc231": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1593520194,
+        "narHash": "sha256-+TZW+2I7kLL9JglPNOagm1ywjf9ua0JYGoptq/dzVn0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9cd98386a38891d1074fc18036b842dc4416f562",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9cd98386a38891d1074fc18036b842dc4416f562",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-glibc231": "nixpkgs-glibc231"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 4c500f1933..18671bdf31 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,15 +2,24 @@
   description = "Nix related things for xrpld";
   inputs = {
     nixpkgs.url = "nixpkgs/nixos-unstable";
+    # nixpkgs snapshot (2020-06-30) that shipped glibc 2.31 as the primary
+    # version — matches the system libc on Ubuntu 20.04 LTS. Imported
+    # manually (flake = false) because this revision predates nixpkgs'
+    # own flake.nix.
+    nixpkgs-glibc231 = {
+      url = "github:NixOS/nixpkgs/9cd98386a38891d1074fc18036b842dc4416f562";
+      flake = false;
+    };
   };
 
   outputs =
-    { nixpkgs, ... }:
+    { nixpkgs, nixpkgs-glibc231, ... }:
     let
-      forEachSystem = (import ./nix/utils.nix { inherit nixpkgs; }).forEachSystem;
+      forEachSystem = import ./nix/utils.nix { inherit nixpkgs nixpkgs-glibc231; };
     in
     {
       devShells = forEachSystem (import ./nix/devshell.nix);
+      packages = forEachSystem (import ./nix/ci-env.nix);
       formatter = forEachSystem ({ pkgs, ... }: pkgs.nixfmt);
     };
 }
diff --git a/nix/ci-env.nix b/nix/ci-env.nix
new file mode 100644
index 0000000000..d8021fe0bd
--- /dev/null
+++ b/nix/ci-env.nix
@@ -0,0 +1,54 @@
+{
+  pkgs,
+  glibc231,
+  ...
+}:
+let
+  inherit (import ./packages.nix { inherit pkgs; }) commonPackages;
+
+  # binutils wrapped to emit binaries that reference glibc 2.31 (dynamic
+  # linker path, library search path, RPATH).
+  binutils231 = pkgs.wrapBintoolsWith {
+    bintools = pkgs.binutils-unwrapped;
+    libc = glibc231;
+  };
+
+  # Rebuild gcc 15 (specifically libstdc++ / libgcc_s) against glibc 2.31.
+  # The override swaps gcc15.cc's bootstrap stdenv for one that uses the
+  # existing gcc 15 binary but links against glibc 2.31, so the resulting
+  # compiler ships runtime libraries that only reference symbols available
+  # in glibc 2.31.
+  gcc15CcWithGlibc231 = pkgs.gcc15.cc.override {
+    stdenv = pkgs.stdenvAdapters.overrideCC pkgs.stdenv (
+      pkgs.wrapCCWith {
+        cc = pkgs.gcc15.cc;
+        libc = glibc231;
+        bintools = binutils231;
+      }
+    );
+  };
+
+  # cc-wrapper around the rebuilt compiler, pointing at glibc 2.31 headers
+  # and libraries. This is what we actually expose to users.
+  gcc15WithGlibc231 = pkgs.wrapCCWith {
+    cc = gcc15CcWithGlibc231;
+    libc = glibc231;
+    bintools = binutils231;
+  };
+
+in
+{
+  default = pkgs.buildEnv {
+    name = "xrpld-ci-env";
+    paths = commonPackages ++ [
+      gcc15WithGlibc231
+      binutils231
+    ];
+    pathsToLink = [
+      "/bin"
+      "/lib"
+      "/include"
+      "/share"
+    ];
+  };
+}
diff --git a/nix/devshell.nix b/nix/devshell.nix
index 1d907f4d87..1bd7ea4c0c 100644
--- a/nix/devshell.nix
+++ b/nix/devshell.nix
@@ -1,19 +1,6 @@
 { pkgs, ... }:
 let
-  commonPackages = with pkgs; [
-    ccache
-    cmake
-    conan
-    gcovr
-    git
-    gnumake
-    llvmPackages_21.clang-tools
-    ninja
-    perl # needed for openssl
-    pkg-config
-    pre-commit
-    python314
-  ];
+  inherit (import ./packages.nix { inherit pkgs; }) commonPackages;
 
   # Supported compiler versions
   gccVersion = pkgs.lib.range 13 15;
diff --git a/nix/packages.nix b/nix/packages.nix
new file mode 100644
index 0000000000..edfe302ec9
--- /dev/null
+++ b/nix/packages.nix
@@ -0,0 +1,27 @@
+{ pkgs }:
+let
+  # In LLVM 22, run-clang-tidy.py moved from share/clang/ to bin/, so nixpkgs
+  # clang-tools no longer links it. Wrap it manually.
+  runClangTidy = pkgs.writeShellScriptBin "run-clang-tidy" ''
+    exec ${pkgs.python3}/bin/python3 ${pkgs.llvmPackages_22.clang-unwrapped}/bin/run-clang-tidy "$@"
+  '';
+in
+{
+  commonPackages = with pkgs; [
+    ccache
+    cmake
+    conan
+    gcovr
+    git
+    gnumake
+    llvmPackages_22.clang-tools
+    mold
+    ninja
+    perl # needed for openssl
+    pkg-config
+    pre-commit
+    python3
+    runClangTidy
+    vim
+  ];
+}
diff --git a/nix/utils.nix b/nix/utils.nix
index 821d60a6f6..07ff169c44 100644
--- a/nix/utils.nix
+++ b/nix/utils.nix
@@ -1,19 +1,21 @@
-{ nixpkgs }:
-{
-  forEachSystem =
-    function:
-    nixpkgs.lib.genAttrs
-      [
-        "x86_64-linux"
-        "aarch64-linux"
-        "x86_64-darwin"
-        "aarch64-darwin"
-      ]
-      (
-        system:
-        function {
-          inherit system;
-          pkgs = import nixpkgs { inherit system; };
-        }
-      );
-}
+{ nixpkgs, nixpkgs-glibc231 }:
+function:
+nixpkgs.lib.genAttrs
+  [
+    "x86_64-linux"
+    "aarch64-linux"
+    "x86_64-darwin"
+    "aarch64-darwin"
+  ]
+  (
+    system:
+    function {
+      pkgs = import nixpkgs { inherit system; };
+      # glibc 2.31 — matches the system libc on Ubuntu 20.04 LTS. Sourced
+      # from the nixpkgs snapshot pinned via the `nixpkgs-glibc231` flake
+      # input, so the build uses the compiler from that snapshot
+      # (gcc 9.3.0) along with the matching patches, configure flags, and
+      # hardening defaults.
+      glibc231 = (import nixpkgs-glibc231 { inherit system; }).glibc;
+    }
+  )