diff --git a/ops/dns/main.tf b/ops/dns/main.tf
index 263c8f033..a1aeb944d 100644
--- a/ops/dns/main.tf
+++ b/ops/dns/main.tf
@@ -66,6 +66,7 @@ locals {
   public01_services = [
     "auth",
     "bolt",
+    "cache",
     "git",
     "status"
   ]
diff --git a/ops/machines/build01/default.nix b/ops/machines/build01/default.nix
index 151286782..b2f5083be 100644
--- a/ops/machines/build01/default.nix
+++ b/ops/machines/build01/default.nix
@@ -7,6 +7,7 @@ in
   imports = [
     (mod "o11y/agent.nix")
     (mod "snix-buildkite.nix")
+    (mod "harmonia.nix")
     (mod "known-hosts.nix")
 
     (depot.third_party.agenix.src + "/modules/age.nix")
@@ -62,7 +63,15 @@ in
       ];
     };
 
-    firewall.allowPing = true;
+    nftables.enable = true;
+    firewall = {
+      extraInputRules = ''
+        # Allow public01 to access Harmonia
+        ip6 saddr { 2a01:4f8:c013:3e62::1 } tcp dport { 5000 } accept
+        ip saddr { 49.13.70.233 } tcp dport { 5000 } accept
+      '';
+      allowPing = true;
+    };
   };
 
   age.secrets =
diff --git a/ops/machines/public01/default.nix b/ops/machines/public01/default.nix
index 0e720e8e1..d93407a36 100644
--- a/ops/machines/public01/default.nix
+++ b/ops/machines/public01/default.nix
@@ -19,6 +19,7 @@ in
     (mod "www/status.snix.dev.nix")
     (mod "www/auth.snix.dev.nix")
     (mod "www/git.snix.dev.nix")
+    (mod "www/cache.snix.dev.nix")
     (mod "known-hosts.nix")
 
     (depot.third_party.agenix.src + "/modules/age.nix")
diff --git a/ops/modules/harmonia.nix b/ops/modules/harmonia.nix
new file mode 100644
index 000000000..b989d9437
--- /dev/null
+++ b/ops/modules/harmonia.nix
@@ -0,0 +1,13 @@
+{ config, depot, ... }:
+
+{
+  age.secrets.binary-cache-key.file = depot.ops.secrets."binary-cache-key.age";
+
+  services.harmonia = {
+    enable = true;
+    signKeyPaths = [ config.age.secrets.binary-cache-key.path ];
+    # Set priority to be slightly lower than cache.nixos.org.
+    # This makes it so we only substitute from our binary cache stuff that's not in cache.nixos.org.
+    settings.priority = 41;
+  };
+}
diff --git a/ops/modules/www/cache.snix.dev.nix b/ops/modules/www/cache.snix.dev.nix
new file mode 100644
index 000000000..582c48187
--- /dev/null
+++ b/ops/modules/www/cache.snix.dev.nix
@@ -0,0 +1,11 @@
+{
+  imports = [
+    ./base.nix
+  ];
+
+  services.nginx.virtualHosts."cache.snix.dev" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://build01.infra.snix.dev:5000";
+  };
+}
diff --git a/ops/secrets/binary-cache-key.age b/ops/secrets/binary-cache-key.age
new file mode 100644
index 000000000..08de1c672
--- /dev/null
+++ b/ops/secrets/binary-cache-key.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung Mvt2H8HIVtTny0FNpY48dTvrirjZQLiiItGYbvSDF2k
+QYXrPFDrbTcsPsYckMywPHxBcz9U9jmeHtxp2fhlvvE
+-> X25519 1WNt+6Y232vmWR+KCxbmbQxR7S/jRnNINlt80gnWZm4
+PSfiLR5P8JagitE6TTe0TPzo7jO8XSDP5GzVem3aJJc
+-> ssh-ed25519 C2zWnA KtVQ9FrDPb5aWIItjqvpEGxyXxPZtzkzI2H1XNXNzys
+lu47Bcf/uneALQWuYUX5UCDARP8fXuuj35Hvnmf1+uI
+-> ssh-ed25519 3T2Xig a8idcHw+7sG21f0WSDXytts+jHHM+HXybibC0e2NT1o
+DpTiMH2MGk1dilzWjBds326euAch5WZkiPRriY0jCzE
+--- dvNTh+2a+fsg0/WE12tJ5uHRAwcyMJSHLVO4jBqUh3U
+&›P°dg8	É5WÎïÝˆyƒz¹£6á$w—ž¹ÿü¬çžÇZºùA Á˜ïý¿}ÿ5ž[OµãU‘Ò¬zÂôÈmÎæX=ç>\|M±Ÿv}Àý„ƒ°x°Á%±û eÀ¢Sqó²`¥ü¢¿É4h7.DêùfÍ\Sz|%½Þ÷Â[[›'U?û
\ No newline at end of file
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 6876825aa..f01267c43 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -45,6 +45,8 @@ in
 
   "grafana-oauth-secret.age" = public01Default;
 
+
+  "binary-cache-key.age" = build01Default;
   "buildkite-agent-token.age" = build01Default;
   "buildkite-ssh-private-key.age" = build01Default;
   "buildkite-besadii-config.age" = ciDefault;