1 files changed, 48 insertions, 0 deletions

diff --git a/modules/binary-cache.nix b/modules/binary-cache.nix
new file mode 100644
index 0000000..d0e0a72
--- /dev/null
+++ b/modules/binary-cache.nix
@@ -0,0 +1,48 @@
+# the public key for the current iteration of this cache is:
+# cache.rnrd.eu-1:6Q2MPTZ6ycAzWcc0VzXR+pKRlJ+6kfdQfj6iRsN5s1I=
+
+{ config, unstablePkgs, ... }:
+
+let
+  inherit (config.age) secrets;
+
+  cachePort = 3138;
+in
+{
+  age.secrets.binary-cache-key = {
+    file = ../secrets/binary-cache-key.age;
+  };
+
+  services = {
+    harmonia = {
+      enable = true;
+      # 24.11 does not include built-in zstd compression for harmonia yet.
+      package = unstablePkgs.harmonia;
+      signKeyPaths = [ secrets.binary-cache-key.path ];
+
+      settings = {
+        bind = "127.0.0.1:${toString cachePort}";
+        workers = 6;
+      };
+    };
+
+    nginx.virtualHosts."cache.rnrd.eu" = {
+      useACMEHost = "rnrd.eu";
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cachePort}";
+        # i'm not sure whether harmonia actually does anything
+        # with websockets, but their example includes nginx settings
+        # that can be toggled on with this setting.
+        # see: https://github.com/nix-community/harmonia#configuration-for-public-binary-cache-on-nixos
+        proxyWebsockets = true;
+      };
+
+      extraConfig = ''
+        proxy_redirect http:// https://;
+        access_log /var/log/nginx/cache.access.log json_combined;
+      '';
+    };
+  };
+}