From fbb581105b2d7ce653014e9f2612e3229acb980c Mon Sep 17 00:00:00 2001
From: Lucien Cartier-Tilet <lucien@phundrak.com>
Date: Fri, 1 May 2026 15:23:17 +0200
Subject: [PATCH] feat(nix): add marpa as binary cache for Nix

---
 flake.nix                                     |  2 +-
 .../marpa/{configuration.nix => default.nix}  | 15 +++++---
 secrets/secrets.yaml                          |  8 +++--
 system/default.nix                            | 12 +++----
 system/services/default.nix                   |  1 +
 system/services/harmonia.nix                  | 36 +++++++++++++++++++
 6 files changed, 60 insertions(+), 14 deletions(-)
 rename hosts/marpa/{configuration.nix => default.nix} (91%)
 create mode 100644 system/services/harmonia.nix

diff --git a/flake.nix b/flake.nix
index 3d288e7..4b6d352 100644
--- a/flake.nix
+++ b/flake.nix
@@ -165,7 +165,7 @@
             };
             marpa = nixpkgs.lib.nixosSystem {
               inherit specialArgs;
-              modules = withSystemModules ./hosts/marpa/configuration.nix;
+              modules = withSystemModules ./hosts/marpa;
             };
             NaroMk3 = nixpkgs.lib.nixosSystem {
               inherit specialArgs;
diff --git a/hosts/marpa/configuration.nix b/hosts/marpa/default.nix
similarity index 91%
rename from hosts/marpa/configuration.nix
rename to hosts/marpa/default.nix
index ae81c27..c3e6282 100644
--- a/hosts/marpa/configuration.nix
+++ b/hosts/marpa/default.nix
@@ -107,6 +107,10 @@
     programs.steam.enable = true;
     services = {
       fwupd.enable = true;
+      harmonia = {
+        enable = true;
+        signKeyPaths = [config.sops.secrets."marpa/nix-cache-priv-key".path];
+      };
       languagetool.enable = true;
       printing.enable = true;
       ssh.enable = true;
@@ -124,10 +128,13 @@
     };
   };
 
-  sops.secrets.extraHosts = {
-    inherit (config.users.users.root) group;
-    owner = config.users.users.phundrak.name;
-    mode = "0440";
+  sops.secrets = {
+    "marpa/nix-cache-priv-key" = {};
+    extraHosts = {
+      inherit (config.users.users.root) group;
+      owner = config.users.users.phundrak.name;
+      mode = "0440";
+    };
   };
 
   services.udev.extraHwdb = ''
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index fa11fbf..27be4cf 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -6,6 +6,8 @@ elcafe:
     traefik:
         env: ENC[AES256_GCM,data:HUdWGYoEPp2v8dnDuVsl7YmPxuBfHmXzGrvKWeiqPlmAwMqVZrZ1j8on/7QKvYDJoTJ40XY2qNynSA==,iv:Vgc/fZERnNp7hSMeRd9EgB3IenKAFTAhwC0bk8CX4DE=,tag:SdfhOST/o29Lt1zRdXXRyQ==,type:str]
         dynamic: ENC[AES256_GCM,data:BKsjTfqpZhrocHOUfxjCNS61DVb1oSdPW99IrwmNjpFcs68WvyfD0+QZ9F362L88CQDTnDSXWAbc7mcBtxhqfhkjtsdxkhtLHMGG0WxlnYungTnROh9EDJRLNyjy/RCYWOIVOXIEUE5lLwnQkboZLEiruw1Ri+r27WYmGpD5DaR4XWDankb6BQPJA6f2ziPyynjNYZaRhMIQUDFLM3QRAXPYD00eaYIQtx253z8Uocz4LpOw2JReAQkI2zc+6Oe1O4fP/Cg8klF0owR6NkNUWoIUVwLqFmU7Yr45VO+T/f96Ev0hlDaMklxYJGNOS8kRbSqpaiuMCmL2mQ6rsZGFVfdMdImSL2j51lrPFJCsg/hNGXHAxQ0/OpHtcZz/cwn5nSHBXg6gX21kOpkWGY1+BRA15X0k5sUqXkZWjkP9wkSCV6pQTbr8a3GrX2VvGwguAC4EpTCkCobXw/d9a7bMfZFeJqFhwjpU/dfBi6OjF7bniOQ7k3+5RZRDqAxJiPaBk7NKVN1FzUCvFBjKifbfICOJaPJr1CmayNuBZtsSlj0MXBYx8D8oShzhsCo/+pyni4poMYyfNC9jQKWCBsjKEa6eWb1+TfOHv4W+lSlBFg3vGm4NDxCPnACKWlhKB4WoJGRHqnp809XF2fqP4lZN8S7+sB2rhNlr2CICk9oM80FNmW/8TTtIgbpfEeFeJwNTM+S95cFSqaIRg3kfcqB/bHG37BYthcL1SC85/lxhL2LJ/O0qXxbioyxVAaBIumAO8BB1qrdbOozHZZAU1IIKylDWMWUoJMyMdhMGnOxxxWcbV2jPUXUv03DYNp3G/5F2Hlr+h0bPIJEFZ2kb14wTK+25MsgfBgky26f8qjNwROqKA+bPeB2yUKSSCJb//PzzE4xyqu1mq2/1zTal0eSRTCEnAUCj0wDqCLBMO6GnL0PS4PtGJ9n/IbOjFXZeixWGJzUTcmxPAmsClH6FV8brEMVs5bfrjLieXQvcn0b8b9/1W2jV4dJGUE1TxUQ2B92VG7PrA39O/FO8tQJZrAMXO9iMv495w0Nxbt0HYN6wsFTUwlQ+3DCXxgmmVBqVSf1OtHuhxcznl1oR+sgPSgBRLVB22mv5677ErQGCWp1luyPSF6xvhIaKe9BDwxBwJ+RsqSn4w5t1qJM9uYqFunSJPY5439B4zWG+lUy1ZDNn1oHUaX3hZUhzc9tEm+0CWFNXxH2hiRFb2nYP6Pv/GNqjZCsflY0YYty0UJBqRELGpUO3Sd+zbyJmWtvDjto726/0jHB/jb0RVThUem0PzWmmIUth0ucKp0M7zqEWNyVPbvWOK6rWQW9eaW87bFeMhrD1PC+U0ilq9DKG1J3ldc0lEBrguc4fk72T3I62pw5KdGnsmB+FjAc8kdTFKhM52ylChsAnJGFu0LyBUgjGIzZ03XkO8RbYs/wzc9VQOvyikvB67wImXMu8PJDzMxXnu58y7C4U86kvLdUfYm5bz+MxZmXsDA1L7C4si6oLf7rOCfLLc4A1a/X/aMSk330SARW/UAZ/NaFDXhotYXZUSbr41Z6b0qRPZjjZfOkdeKxTp+r07+8oJpPOaIaaOIlNRkGyRCnbCGvJ4CuUfTQuywIefBHlawGzhsDvOKorWYTuim7MbJcd19bYMG6k8qqTQlNeHjZJaDLKJ/rnSAIGDSNYRP4uUUo0gqSp82E9bXUUn5VuFSPcJ55uvFXZD0f6tLZGIyUuG5tqw3xNQF2cA+4ZXzbxi6VIZQ+ahZELkoBR+dVXQ0yGkDJusNf61A1lfI2bd7JQnJ7YVhbF1gXNnDXdWO0F8zsnZyhSSJY3ZoXLdYn+v39+AxQvE3mpX7zNsk7+0WUHuqAh6JG6OBt7jF5OVwD3bfuQfDhPlfD7YOU5/C+rekDGXmfZOMXxadvQgWFcpHdgbV7NwKqdgj6pJDVoGO8/4HGtlb94/o6dtXzfheSLUhCUZ2Im81yduu8386fCYLHX/ZsP+CuuC2wlXQaSCgoODRXXDz7jsRcQNfW2ohmFT9iDn95NI5ylCgt49t2Cr06ft7Pd0tWjh69VQ8TjNlfqm3Sxlf/Gb9ihwOOytmbDv4bNKhpRIPC0jIZv3aaA7vgdLCbySVeMo1tfMx3Xvf6q8XqlsQ/HgwBxAMmjakIAukNwtU74oJ2AYpIO/Oc47081JR2sVtGWer6l7C8KMy9O0xYtABsofkc9kHQWtAvn82sSQTuI/UgD5ttfdfVZZaanHek3vgJyTYI3sPQDVJ6SXrC0a+fqMlTL7Jux/0B70gK1z46j5C54IBCChNa4CwXhvxofyoDgyF6DVC2qZxoKXGl1veQKJh68q9hCiDlYEpiwuRCs3j6uSUG4Rssc9TKfdY3AQltVrhykEORVEgZe1HWmlms=,iv:3G3geSZRziwGiKcUMVNZ7j5s/4YA6Uk7wCSb4aFNSMo=,tag:FxARskR9+wdV7/xCKP8UdA==,type:str]
+marpa:
+    nix-cache-priv-key: ENC[AES256_GCM,data:H5VsN0nOogvgxWHXHF66BbzJe17zelZCG6mU4vmVJqBoi7a5cQxzU7WnV4k1EOpMJPDj6floVmrsG4DM86FthxcTwixCNDINmaemwAXQnUkgWXFKYY7Ovzten81UVKrtkN4n1S8=,iv:pxnHD5YqyTeNZnxyEJeXAUixZEz8Uq9b2HFZZBsMOzk=,tag:xI+4tFG+Q4Z5IVxlATayJA==,type:str]
 extraHosts: ENC[AES256_GCM,data:4lp7w0snYle7vGVLJq3zlTxoC8eVpaSreW3P8Aq+O6oRJoWo3IASpwi7zSx6nxmLo5LGPeupVXfy3xOkG9d5QFNU2uU6vXKvOnnm6wrpS+UcYp/4U/z+R3rFnFsI5PsCgmlL1bSUFCFkXlrLDIyoW50Q/DLXDS8QaUYAtto1DcRUXc9j8RnunYF38HFlAOD/Xa4DY048pvZu8TMsmLQjM5txZnZBq4+P8aBjY3SF+K9cqZ+SgQkU+gdGo0/S/N5OUZJ3ATJ6mglPl/Nplw/Dh9HvC7jEMJZKrVzWiYquTOn0/IytqOCS2SkhsmVMRqf06hpvhlz6sFXzkDfxKMIRTULEkjZDkZ7QioSbLeqmQePSg7xs28SvToiVKSpg0PxeH5LvJE73hgX3ATUXA2BmRvqQuqBwLaDU6TPm8xkYe7qbabaN5oFtXCI/XydZTao5Glqw/BZQRTise/qGgn3Bfl/ieMYQOqCMEdHzR0Beipur6spliGFC4YnwL3Nh4CO6qOB/j61a7rqY6nLyo54jWtjvHX42pTuGWhvhGH1z4NRZqcKks+KCMB4PcCXgul1hrb04wLXYVu7R/7QqOACp4SZBUFZCj+izcsnB1sKdKliL87VBUkwOSF+1JUCY,iv:5A3jCWLkooCkuOMiybbeQ9+TRA7CoiW3qbzmJLVarSc=,tag:qLsGhrFHs65Vesj4Ot4I/g==,type:str]
 mopidy:
     spotify: ENC[AES256_GCM,data:6i9BzQmlndnROuT1H2zgN/3I6hBiFf14BlcS+XL2PbTiiEQZe2yE3tnZo3KXU9S5CjS3MwxsVdytKOFMQt2s1bVjcibBhJzoKEQByaapdzn1mK3kQLdJfhPf4Hf9YZV9Dlc60ngS7ESLZakdFVlj4rlbV5XReLhK,iv:fYd78r4U0kTyq1TZjBVXkjdNiOQ29gLJ53kwTXsi8W0=,tag:oWaeOuzdHWS4joZAdeA2pg==,type:str]
@@ -105,7 +107,7 @@ sops:
             dUpXZis2N2VyN0ZFbjlPRXdwRFQ1aHMKm1Mk6MPKxFmwdATCYUANRSY5rHKgmQer
             LBlqqWKt1JiIUAYtazQeQ6KYxmjVlQPY7AZw2t+EhBEPrqbTL3vOiw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-07T17:19:05Z"
-    mac: ENC[AES256_GCM,data:hT4mPKLcIuAFmllJBYFXL5sGyMn95mYEv+eGVA+KQYm629YKSncgvn5g8elau/8HXR1O/bwQlkGmGr8VPeR/0KRb6TPCA4MrCwox38fy3ZLx2e0movVi/xIgKXIo5wYUq4Qm/pSo715limxGChxUxKtdEK/lmMkSnxyGmlkQtwM=,iv:XoOfhdK/CK6shUXhH4h14gtyqZqcqmTV6/R2jkynFr8=,tag:q3V0xcWQxjFi2drk5fLJoQ==,type:str]
+    lastmodified: "2026-05-01T13:20:34Z"
+    mac: ENC[AES256_GCM,data:OueL0eHYmFKWfSyCZxburRJ2FS1xkowx7ha/Zv7r++26D85GSHDeIL9HdfByI5a1OhH90rH3WLxZrJgT3FiwBw27HhhHtS7Fs6MBFvTuPmSA7ZtMeGMWBRVjwbGAWN17BZAhJzMlZHq2nPX0xXIKT0HuTLVRPLuVCSlvDzMXsTE=,iv:+JN4Vzs8o8PJAam/uKBbUXt3ArxC88D6xR7rMeeGglg=,tag:S+OtbxLhVKFnqBZtyKDGyA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.2
diff --git a/system/default.nix b/system/default.nix
index 00917ee..69ddaa5 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -47,16 +47,16 @@ in {
 
     nix.settings = {
       substituters = [
-        "https://nix-community.cachix.org?priority=10"
-        "https://devenv.cachix.org?priority=20"
-        "https://phundrak.cachix.org?priority=30"
+        "http://marpa:5000?priority=5"
+        "https://phundrak.cachix.org?priority=10"
+        "https://nix-community.cachix.org?priority=20"
         "https://cache.nixos.org?priority=40"
       ];
       trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
+        "marpa-local:XoO+dFN4PeauF52pYuy3Vh4Sdtl2qIdxu5aUasWKv6Q="
         "phundrak.cachix.org-1:osJAkYO0ioTOPqaQCIXMfIRz1/+YYlVFkup3R2KSexk="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
       ];
       http-connections = 128;
       experimental-features = [
diff --git a/system/services/default.nix b/system/services/default.nix
index a94772e..fda7ce2 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -3,6 +3,7 @@
     ./calibre.nix
     ./endlessh.nix
     ./fwupd.nix
+    ./harmonia.nix
     ./jellyfin.nix
     ./languagetool.nix
     ./plex.nix
diff --git a/system/services/harmonia.nix b/system/services/harmonia.nix
new file mode 100644
index 0000000..1ffc26e
--- /dev/null
+++ b/system/services/harmonia.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.harmonia;
+in {
+  options.mySystem.services.harmonia = {
+    enable = mkEnableOption "Harmonia Nix binary cache server";
+    port = mkOption {
+      type = types.port;
+      default = 5000;
+      description = "Port to listen on";
+    };
+    priority = mkOption {
+      type = types.ints.between 0 100;
+      default = 50;
+      description = "Cache priority (lower = higher priority, 0-100)";
+    };
+    signKeyPaths = mkOption {
+      type = types.listOf types.path;
+      description = "Paths to the signing keys to use for signing the cache.";
+    };
+  };
+  config = mkIf cfg.enable {
+    services.harmonia.cache = {
+      enable = true;
+      inherit (cfg) signKeyPaths;
+      settings = {
+        inherit (cfg) priority;
+        bind = "[::]:${toString cfg.port}";
+      };
+    };
+  };
+}