feat(ops): Deploy harmonia on cache.snix.dev

Deploys Harmonia on build01, proxied through public01. We cannot serve from build01 directly because it only supports IPv6. Closes: https://git.snix.dev/snix/snix/issues/66 Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a Reviewed-on: https://cl.snix.dev/c/snix/+/30274 Reviewed-by: Florian Klink <flokli@flokli.de> Tested-by: besadii Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com> Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-03-24 18:21:41 +00:00 · 2025-03-24 18:21:41 +00:00 · 5551d0ea5e
commit 5551d0ea5e
parent 6f9c54bbd1
7 changed files with 49 additions and 1 deletions
--- a/ops/machines/build01/default.nix
+++ b/ops/machines/build01/default.nix
@ -7,6 +7,7 @@ in
  imports = [
    (mod "o11y/agent.nix")
    (mod "snix-buildkite.nix")
+    (mod "harmonia.nix")
    (mod "known-hosts.nix")

    (depot.third_party.agenix.src + "/modules/age.nix")
@ -62,7 +63,15 @@ in
      ];
    };

-    firewall.allowPing = true;
+    nftables.enable = true;
+    firewall = {
+      extraInputRules = ''
+        # Allow public01 to access Harmonia
+        ip6 saddr { 2a01:4f8:c013:3e62::1 } tcp dport { 5000 } accept
+        ip saddr { 49.13.70.233 } tcp dport { 5000 } accept
+      '';
+      allowPing = true;
+    };
  };

  age.secrets =