From ea98b5d508d40f06e42fb905d6c26e39b9e0d498 Mon Sep 17 00:00:00 2001
From: Mel <mel@rnrd.eu>
Date: Fri, 14 Feb 2025 01:21:56 +0100
Subject: Serve a binary cache (harmonia) on renard

Signed-off-by: Mel <mel@rnrd.eu>
---
 machines/renard/default.nix  |   3 ++-
 modules/binary-cache.nix     |  48 +++++++++++++++++++++++++++++++++++++++++++
 secrets/binary-cache-key.age | Bin 0 -> 647 bytes
 secrets/secrets.nix          |   4 ++++
 4 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 modules/binary-cache.nix
 create mode 100644 secrets/binary-cache-key.age

diff --git a/machines/renard/default.nix b/machines/renard/default.nix
index 0188340..f56c2f5 100644
--- a/machines/renard/default.nix
+++ b/machines/renard/default.nix
@@ -8,6 +8,7 @@
     ./devices.nix
 
     ../../modules/www
+    ../../modules/binary-cache.nix
     ../../modules/git.nix
     ../../modules/syncthing.nix
 
@@ -26,7 +27,7 @@
       }) machines;
     };
 
-    services = [ "base" "tailnet" "git" "mel" "shorest" ];
+    services = [ "base" "tailnet" "cache" "git" "mel" "shorest" ];
   };
 
   services.nginx.virtualHosts = {
diff --git a/modules/binary-cache.nix b/modules/binary-cache.nix
new file mode 100644
index 0000000..d0e0a72
--- /dev/null
+++ b/modules/binary-cache.nix
@@ -0,0 +1,48 @@
+# the public key for the current iteration of this cache is:
+# cache.rnrd.eu-1:6Q2MPTZ6ycAzWcc0VzXR+pKRlJ+6kfdQfj6iRsN5s1I=
+
+{ config, unstablePkgs, ... }:
+
+let
+  inherit (config.age) secrets;
+
+  cachePort = 3138;
+in
+{
+  age.secrets.binary-cache-key = {
+    file = ../secrets/binary-cache-key.age;
+  };
+
+  services = {
+    harmonia = {
+      enable = true;
+      # 24.11 does not include built-in zstd compression for harmonia yet.
+      package = unstablePkgs.harmonia;
+      signKeyPaths = [ secrets.binary-cache-key.path ];
+
+      settings = {
+        bind = "127.0.0.1:${toString cachePort}";
+        workers = 6;
+      };
+    };
+
+    nginx.virtualHosts."cache.rnrd.eu" = {
+      useACMEHost = "rnrd.eu";
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cachePort}";
+        # i'm not sure whether harmonia actually does anything
+        # with websockets, but their example includes nginx settings
+        # that can be toggled on with this setting.
+        # see: https://github.com/nix-community/harmonia#configuration-for-public-binary-cache-on-nixos
+        proxyWebsockets = true;
+      };
+
+      extraConfig = ''
+        proxy_redirect http:// https://;
+        access_log /var/log/nginx/cache.access.log json_combined;
+      '';
+    };
+  };
+}
diff --git a/secrets/binary-cache-key.age b/secrets/binary-cache-key.age
new file mode 100644
index 0000000..f14c399
Binary files /dev/null and b/secrets/binary-cache-key.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8571672..1b768d4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,6 +5,10 @@ let
   inherit (keys.system) renard lapin corsac;
 in
 {
+  "binary-cache-key.age".publicKeys = [
+    renard
+  ] ++ allAdmins;
+
   "cloudflare-dns.age".publicKeys = allSystems ++ allAdmins;
 
   "pds-secrets.age".publicKeys = [
-- 
cgit 1.4.1