diff --git a/nix/hosts/cc-ci/configuration.nix b/nix/hosts/cc-ci/configuration.nix
index ce3dea1..31dc38c 100644
--- a/nix/hosts/cc-ci/configuration.nix
+++ b/nix/hosts/cc-ci/configuration.nix
@@ -21,6 +21,12 @@
     ../../modules/nightly-sweep.nix
   ];
 
+  # --- Timezone: create /etc/localtime. Some recipes bind-mount the host's /etc/localtime into
+  # their containers (e.g. immich); without a set timezone NixOS leaves /etc/localtime absent, so
+  # that bind fails ("bind source path does not exist: /etc/localtime") and the service is rejected.
+  # UTC is the right default for a CI host (deterministic timestamps). ---
+  time.timeZone = "UTC";
+
   # --- Tailscale (ACCESS-CRITICAL: do not break, this is the only route in) ---
   # Baseline read the hostname from /etc/ts-hostname at eval time; that is impure
   # under flakes, so we pin the known hostname. The reusable auth-key file persists.