feat: add harmonia cache server

features/harmonia/cache-builder.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -uo pipefail
+
+build() {
+	local name="$1" ref="$2" link="$3"
+	echo "building $name..." >&2
+	if nix build "$ref" --out-link "$link"; then
+		return 0
+	else
+		echo "FAILED: $name" >&2
+		return 1
+	fi
+}
+
+main() {
+	mkdir -p "$GC_ROOT_DIR"
+	local failed=0
+
+	for host in $HOSTS; do
+		build "$host" \
+			"$FLAKE_REF#nixosConfigurations.$host.config.system.build.toplevel" \
+			"$GC_ROOT_DIR/$host" || failed=1
+	done
+
+	build "ephvm-image" \
+		"$FLAKE_REF#nixosConfigurations.ephvm.config.system.build.images.qemu" \
+		"$GC_ROOT_DIR/ephvm-image" || failed=1
+
+	return $failed
+}
+
+main "$@"

features/harmonia/default.nix

@@ -0,0 +1,51 @@
+{
+  nixos =
+    {
+      pkgs,
+      config,
+      inputs,
+      ...
+    }:
+    let
+      hosts = [
+        "fw16"
+        "tower"
+        "cube"
+        "floo"
+        "ephvm"
+      ];
+      flakeRef = inputs.self.outPath;
+    in
+    {
+      services.harmonia = {
+        enable = true;
+        signKeyPaths = [ config.sops.secrets.nix-signing-key.path ];
+      };
+
+      networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 5000 ];
+
+      systemd.services.cache-builder = {
+        description = "Build all host closures for binary cache";
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${pkgs.bash}/bin/bash ${./cache-builder.sh}";
+        };
+        environment = {
+          FLAKE_REF = flakeRef;
+          HOSTS = builtins.concatStringsSep " " hosts;
+          GC_ROOT_DIR = "/nix/var/nix/gcroots/cache-builder";
+        };
+        path = [ config.nix.package ];
+      };
+
+      systemd.timers.cache-builder = {
+        description = "Periodically build all host closures";
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnUnitActiveSec = "15min";
+          OnBootSec = "5min";
+          Persistent = true;
+        };
+      };
+    };
+}