nix-cache

configuration.nix

@@ -69,6 +69,8 @@
     ./services/ntfy
 
     ./services/mollysocket.nix
+
+    ./services/harmonia.nix
   ];
 
   # Hosts entries for CI/CD deploy targets

modules/age-secrets.nix

@@ -167,5 +167,21 @@
       owner = "root";
       group = "root";
     };
+
+    # Harmonia binary cache signing key
+    harmonia-sign-key = {
+      file = ../secrets/harmonia-sign-key.age;
+      mode = "0400";
+      owner = "harmonia";
+      group = "harmonia";
+    };
+
+    # Caddy basic auth for nix binary cache (separate from main caddy_auth)
+    nix-cache-auth = {
+      file = ../secrets/nix-cache-auth.age;
+      mode = "0400";
+      owner = "caddy";
+      group = "caddy";
+    };
   };
 }

service-configs.nix

@@ -189,6 +189,10 @@ rec {
         port = 9563;
         proto = "tcp";
       };
+      harmonia = {
+        port = 5500;
+        proto = "tcp";
+      };
     };
   };
 

services/harmonia.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  lib,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceFilePerms "harmonia" [
+      "Z /run/agenix/harmonia-sign-key 0400 harmonia harmonia"
+    ])
+  ];
+
+  services.harmonia = {
+    enable = true;
+    signKeyPaths = [ config.age.secrets.harmonia-sign-key.path ];
+    settings.bind = "127.0.0.1:${toString service_configs.ports.private.harmonia.port}";
+  };
+
+  services.caddy.virtualHosts."nix-cache.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.nix-cache-auth.path}
+    reverse_proxy :${toString service_configs.ports.private.harmonia.port}
+  '';
+}