Commit b597134d7477

Vincent Demeester <vincent@sbr.pm>
2026-01-13 16:14:41
feat(harmonia): add binary cache servers on aomi and aion
- Enable Harmonia binary cache server on aomi (x86_64-linux) - Enable Harmonia binary cache server on aion (aarch64-linux) - Configure agenix secrets for signing keys - Add local cache substituters to all systems - Configure trusted public keys for both caches This provides native binary caches for both architectures on the local network, reducing build times and external bandwidth usage. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
main
1 parent 07b9668
Changed files (3)
systems
aion
extra.nix
aomi
extra.nix
default.nix
systems/aion/extra.nix
@@ -44,6 +44,7 @@ in
     ../common/services/prometheus-exporters-node.nix
     ../../modules/audible-sync
     ../../modules/music-playlist-dl
+    ../../modules/harmonia
   ];
 
   users.users.vincent.linger = true;
@@ -77,9 +78,24 @@ in
       owner = "vincent";
       group = "users";
     };
+    "harmonia-aion-signing-key" = {
+      file = ../../secrets/harmonia/aion-signing-key.age;
+      mode = "440";
+      owner = "root";
+      group = "root";
+    };
   };
 
   services = {
+    # Binary cache server (aarch64-linux)
+    harmonia-cache = {
+      enable = true;
+      signKeyPath = config.age.secrets."harmonia-aion-signing-key".path;
+      port = 5000;
+      workers = 4;
+      priority = 30;
+    };
+
     wireguard = {
       enable = true;
       ips = libx.wg-ips globals.machines.aion.net.vpn.ips;
systems/aomi/extra.nix
@@ -33,6 +33,9 @@
     ../../modules/job-notify
     ../../modules/nixpkgs-consolidate
     ../../modules/microshift
+
+    # Binary cache
+    ../../modules/harmonia
   ];
 
   # Firewall is enabled in openshift-port-forward.nix
@@ -53,10 +56,25 @@
     owner = "root";
     group = "users";
   };
+  age.secrets."harmonia-aomi-signing-key" = {
+    file = ../../secrets/harmonia/aomi-signing-key.age;
+    mode = "440";
+    owner = "root";
+    group = "root";
+  };
 
   # TODO make it an option ? (otherwise I'll add it for all)
   users.users.vincent.linger = true;
 
+  # Binary cache server (x86_64-linux)
+  services.harmonia-cache = {
+    enable = true;
+    signKeyPath = config.age.secrets."harmonia-aomi-signing-key".path;
+    port = 5000;
+    workers = 4;
+    priority = 30;
+  };
+
   # Remote build system
   services.job-notify = {
     enable = true;
systems/default.nix
@@ -91,6 +91,9 @@
         "https://vdemeester.cachix.org"
         "https://chapeau-rouge.cachix.org"
         "https://nixos-raspberrypi.cachix.org"
+        # Local Harmonia binary caches
+        "http://aomi.home:5000" # x86_64-linux
+        "http://aion.home:5000" # aarch64-linux
       ];
       trusted-public-keys = [
         "r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c="
@@ -98,6 +101,9 @@
         "chapeau-rouge.cachix.org-1:r34IG766Ez4Eeanr7Zx+egzXLE2Zgvc+XRspYZPDAn8="
         "vdemeester.cachix.org-1:eZWNOrLR9A9szeMahn9ENaoT9DB3WgOos8va+d2CU44="
         "nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI="
+        # Local Harmonia cache public keys
+        "cache.aomi.home-1:QjLpxXo2XgJoZRGd/u6tSoJoKmrndesKcwd5gR6sBuY="
+        "cache.aion.home-1:VIbchtAJWf8+T46viAsLaQYDhG9KUGVo+vWxH1Tlz94="
       ];
     };