From a76a7969d9c8751c85a0ba0475bcb0ba990e978a Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Mon, 6 Apr 2026 14:21:31 -0400
Subject: [PATCH] nix-cache

---
 configuration.nix             |   2 ++
 modules/age-secrets.nix       |  16 ++++++++++++++++
 secrets/harmonia-sign-key.age | Bin 0 -> 351 bytes
 secrets/nix-cache-auth.age    | Bin 0 -> 324 bytes
 service-configs.nix           |   4 ++++
 services/harmonia.nix         |  24 ++++++++++++++++++++++++
 6 files changed, 46 insertions(+)
 create mode 100644 secrets/harmonia-sign-key.age
 create mode 100644 secrets/nix-cache-auth.age
 create mode 100644 services/harmonia.nix

diff --git a/configuration.nix b/configuration.nix
index b3a0346..d2bbb2c 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -69,6 +69,8 @@
     ./services/ntfy
 
     ./services/mollysocket.nix
+
+    ./services/harmonia.nix
   ];
 
   # Hosts entries for CI/CD deploy targets
diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index 63c612d..26d0ee4 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -167,5 +167,21 @@
       owner = "root";
       group = "root";
     };
+
+    # Harmonia binary cache signing key
+    harmonia-sign-key = {
+      file = ../secrets/harmonia-sign-key.age;
+      mode = "0400";
+      owner = "harmonia";
+      group = "harmonia";
+    };
+
+    # Caddy basic auth for nix binary cache (separate from main caddy_auth)
+    nix-cache-auth = {
+      file = ../secrets/nix-cache-auth.age;
+      mode = "0400";
+      owner = "caddy";
+      group = "caddy";
+    };
   };
 }
diff --git a/secrets/harmonia-sign-key.age b/secrets/harmonia-sign-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..07ea34b29e4897618b7049fbdc8dd2810a2f22e1
GIT binary patch
literal 351
zcmZQ@_Y83kiVO&0sFb-m<=ds!lR+HC9#YL-%exF`oP01T;_s&SyHt}}(-kNCxPAH)
zxI8*kX+E#Xw1{;@^+NA28=PUPv)FdxdJx}6d7Y1<CQWaqE>&8>Fq4nr-?6*L!fr90
z$nRM%cacl##)OV!gR{&f;ri_blA+mCpI+`XwY#zP)QiPDO#5G^|Gm5a`i&f07K^72
z9vq*JUvQ8pR$bh)>9D2YJC;jI=l{5O?cKiO-h>qnPE0fHE*uCsy0$|~Zc@v|i%O5S
zPPwwtvgErz$E<&j%`%R&KX@ecUgTr3wpgo^UZ7uj)+mcDWUadDTtUVdhuYwMN9Gm9
zMKMO5cl~p=@|ORUsmIPu4$iE2zVn*b;?yg<ey>wyW-r!0zS{bR*7IHKcNn!D+B@M;
z?yjGoF00&gcNXwdcAvZLZqADZQ~SMKk5p7&O*&hVsO7L->TIWIR`7w(sng}l{<I~r
NEle_d=y;*@DFE;Ete5}*

literal 0
HcmV?d00001

diff --git a/secrets/nix-cache-auth.age b/secrets/nix-cache-auth.age
new file mode 100644
index 0000000000000000000000000000000000000000..10b7a7ace142b0a5ca57ed174d0dbaff6b5f8f14
GIT binary patch
literal 324
zcmZQ@_Y83kiVO&0=n`IjeZ{rotFPM6Zfo9rS9yEaE&DSwyMAt|c<#D2EWXRha=Y>Q
zJ8d%6@|m;WG;8LFY}UOmX}BpW&9msz27c9BTy~W&TC{qkS(EZVR_MrggqA<BT<rTY
z({#>_Z@WSY?(>yZ<~*)_m+brK%!LP6u0ERcvcxjm%=#v)k%gq7H;cpD^ji_9ja&Z8
zA7I&*-XeSPy^A*cEafiog6J8n1?TQ1UuUuneDh(!Bd15a<>xjTgsaU<x34aGXY<93
z_1c5z1P-h7!i`6F2&Qvi-e#y*CK~A?TvGH+VqW*su!H=W)1!TT+<tf|&(d%>&KG@S
zQf$n-b+@%*oBd<MqXlFw(o{Xqh3au`eDbJZ@9mobDTbE+ZO$#0RNoddS2|UAs$t5{
iQ-%Mzmn}~X+$N`TU(L~<Me+NhKU-Tq{@&4YAsPUAznI|w

literal 0
HcmV?d00001

diff --git a/service-configs.nix b/service-configs.nix
index 1a98996..24d8429 100644
--- a/service-configs.nix
+++ b/service-configs.nix
@@ -189,6 +189,10 @@ rec {
         port = 9563;
         proto = "tcp";
       };
+      harmonia = {
+        port = 5500;
+        proto = "tcp";
+      };
     };
   };
 
diff --git a/services/harmonia.nix b/services/harmonia.nix
new file mode 100644
index 0000000..002735e
--- /dev/null
+++ b/services/harmonia.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  lib,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceFilePerms "harmonia" [
+      "Z /run/agenix/harmonia-sign-key 0400 harmonia harmonia"
+    ])
+  ];
+
+  services.harmonia = {
+    enable = true;
+    signKeyPaths = [ config.age.secrets.harmonia-sign-key.path ];
+    settings.bind = "127.0.0.1:${toString service_configs.ports.private.harmonia.port}";
+  };
+
+  services.caddy.virtualHosts."nix-cache.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.nix-cache-auth.path}
+    reverse_proxy :${toString service_configs.ports.private.harmonia.port}
+  '';
+}