matej.nix/features/harmonia/default.nix

{
  nixos =
    {
      config,
      lib,
      pkgs,
      inputs,
      ...
    }:
    let
      cfg = config.features.harmonia;
      hosts = [
        "fw16"
        "tower"
        "cube"
        "floo"
        "ephvm"
      ];
      flakeRef = inputs.self.outPath;
    in
    {
      options.features.harmonia.enable = lib.mkEnableOption "harmonia";

      config = lib.mkIf cfg.enable {
        services.harmonia.cache = {
          enable = true;
          signKeyPaths = [ config.sops.secrets.nix-signing-key.path ];
        };

        networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 5000 ];

        systemd.services.cache-builder = {
          description = "Build all host closures for binary cache";
          serviceConfig = {
            Type = "oneshot";
            ExecStart = "${pkgs.bash}/bin/bash ${./cache-builder.sh}";
          };
          environment = {
            FLAKE_REF = flakeRef;
            HOSTS = builtins.concatStringsSep " " hosts;
            GC_ROOT_DIR = "/nix/var/nix/gcroots/cache-builder";
          };
          path = [ config.nix.package ];
        };

        # restart cache-builder after every nixos switch (non-blocking)
        system.activationScripts.cache-builder = lib.stringAfter [ "specialfs" ] ''
          ${config.systemd.package}/bin/systemctl restart --no-block cache-builder.service || true
        '';
      };
    };
}