diff --git a/CHANGELOG.md b/CHANGELOG.md
index ffbf6c6..933ce9e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,16 @@
 
 Changes yet to be released are documented here.
 
+## v0.3.0
+
+- Stop setting `nix.settings.netrc-file` from the Home Manager module
+- Document `netrc_path` in `config.toml` as the path operators should wire into their daemon configuration
+- Add a module evaluation check to prevent the Home Manager module from reintroducing `nix.settings.netrc-file`
+
+These changes are made to support both cppnix and detsysnix. The latter has [special requirements][additionalnetrcsources] around the `netrc` files.
+
+[additionalnetrcsources]: https://docs.determinate.systems/determinate-nix/#additionalnetrcsources
+
 ## v0.2.1
 
 - Fix netrc parsing for one-line entries such as `machine ... login ... password ...`
diff --git a/README.md b/README.md
index e25a567..1cde215 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,14 @@ netrc_path = "$XDG_CONFIG_HOME/nix/netrc"
 
 Path values support environment variable expansion (`$VAR` and `${VAR}`).
 
+`netrc_path` is the path this tool writes tokens to.
+
+Configure Nix to read that same path.
+
+This supports both cppnix and detsysnix. The latter has [special
+requirements][additionalnetrcsources] around `netrc` files, so set
+`additionalNetrcSources` to include the configured `netrc_path`.
+
 ## Usage
 
 ```bash
@@ -78,6 +86,15 @@ Config path resolution order:
 The NixOS server module exports `NIX_CACHE_LOGIN_CONFIG` and installs
 `/etc/nix-cache-login/config.toml` from `services.nix-cache-login-server.configFile`.
 
+## Module Integration
+
+The Home Manager and NixOS modules in this repo install the package and refresh
+services.
+
+Nix and detsysnix daemon configuration stays outside these modules.
+
+Set your daemon to read the `netrc_path` configured in `config.toml`.
+
 ## Maintenance
 
 This tool is actively maintained by [Guardian Project](https://guardianproject.info).
@@ -92,6 +109,7 @@ For security-related issues, please contact us through our [security policy][sec
 
 [issues]: https://guardianproject.dev/ops/nix-cache-login/issues
 [sec]: https://guardianproject.info/contact/
+[additionalnetrcsources]: https://docs.determinate.systems/determinate-nix/#additionalnetrcsources
 
 ## License
 
diff --git a/flake.nix b/flake.nix
index 48fe69d..fa1bf83 100644
--- a/flake.nix
+++ b/flake.nix
@@ -36,6 +36,7 @@
             '';
             doCheck = true;
           });
+          module-checks = import ./module-checks.nix { inherit self pkgs; };
           devShell = self.devShells.${pkgs.stdenv.hostPlatform.system}.default;
         }
         // pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
diff --git a/home-module.nix b/home-module.nix
index 572366e..90e80ab 100644
--- a/home-module.nix
+++ b/home-module.nix
@@ -26,7 +26,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    nix.settings.netrc-file = "${config.xdg.configHome}/nix/netrc";
     home.packages = [ cfg.package ];
     systemd.user.services.nix-cache-login = {
       Unit.Description = "Nix cache login - refresh access token";
diff --git a/module-checks.nix b/module-checks.nix
new file mode 100644
index 0000000..1fc13d9
--- /dev/null
+++ b/module-checks.nix
@@ -0,0 +1,65 @@
+{ self, pkgs }:
+let
+  lib = pkgs.lib;
+  fakePackage = pkgs.runCommand "nix-cache-login-fake-package" { } ''
+    mkdir -p "$out/bin"
+    touch "$out/bin/nix-cache-login"
+    chmod +x "$out/bin/nix-cache-login"
+  '';
+
+  hmStubModule =
+    { lib, ... }:
+    {
+      options = {
+        home.packages = lib.mkOption {
+          type = lib.types.listOf lib.types.package;
+          default = [ ];
+        };
+        home.homeDirectory = lib.mkOption {
+          type = lib.types.str;
+          default = "/home/tester";
+        };
+        xdg.configHome = lib.mkOption {
+          type = lib.types.str;
+          default = "/home/tester/.config";
+        };
+        nix.settings = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+        systemd.user.services = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+        systemd.user.timers = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+        launchd.agents = lib.mkOption {
+          type = lib.types.attrsOf lib.types.anything;
+          default = { };
+        };
+      };
+    };
+
+  evalHome =
+    extraConfig:
+    lib.evalModules {
+      modules = [
+        hmStubModule
+        ./home-module.nix
+        {
+          services.nix-cache-login.enable = true;
+          services.nix-cache-login.package = fakePackage;
+        }
+        extraConfig
+      ];
+    };
+
+  homeDefault = evalHome { };
+in
+pkgs.runCommand "nix-cache-login-module-checks" { } ''
+  test ${lib.escapeShellArg (builtins.toJSON (builtins.hasAttr "netrc-file" homeDefault.config.nix.settings))} = ${lib.escapeShellArg "false"}
+  test ${lib.escapeShellArg homeDefault.config.systemd.user.services.nix-cache-login.Service.ExecStart} = ${lib.escapeShellArg "${fakePackage}/bin/nix-cache-login refresh"}
+  touch "$out"
+''
diff --git a/package.nix b/package.nix
index 3187805..8b13d54 100644
--- a/package.nix
+++ b/package.nix
@@ -6,7 +6,7 @@
 
 buildGoModule {
   pname = "nix-cache-login";
-  version = "0.2.1";
+  version = "0.3.0";
   src = ./.;
   # src = fetchgit {
   #   url = "https://guardianproject.dev/ops/nix-cache-login.git";