feat(ops): Deploy harmonia on cache.snix.dev

Deploys Harmonia on build01, proxied through public01. We cannot serve from build01 directly because it only supports IPv6. Closes: https://git.snix.dev/snix/snix/issues/66 Change-Id: Iff3c16366d60c0fbfd1315a18c27fcd636a0261a Reviewed-on: https://cl.snix.dev/c/snix/+/30274 Reviewed-by: Florian Klink <flokli@flokli.de> Tested-by: besadii Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com> Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-03-24 18:21:41 +00:00 · 2025-03-24 18:21:41 +00:00 · 5551d0ea5e
commit 5551d0ea5e
parent 6f9c54bbd1
7 changed files with 49 additions and 1 deletions
--- a/ops/dns/main.tf
+++ b/ops/dns/main.tf
@ -66,6 +66,7 @@ locals {
  public01_services = [
    "auth",
    "bolt",
+    "cache",
    "git",
    "status"
  ]
--- a/ops/machines/build01/default.nix
+++ b/ops/machines/build01/default.nix
@ -7,6 +7,7 @@ in
  imports = [
    (mod "o11y/agent.nix")
    (mod "snix-buildkite.nix")
+    (mod "harmonia.nix")
    (mod "known-hosts.nix")

    (depot.third_party.agenix.src + "/modules/age.nix")
@ -62,7 +63,15 @@ in
      ];
    };

-    firewall.allowPing = true;
+    nftables.enable = true;
+    firewall = {
+      extraInputRules = ''
+        # Allow public01 to access Harmonia
+        ip6 saddr { 2a01:4f8:c013:3e62::1 } tcp dport { 5000 } accept
+        ip saddr { 49.13.70.233 } tcp dport { 5000 } accept
+      '';
+      allowPing = true;
+    };
  };

  age.secrets =
--- a/ops/machines/public01/default.nix
+++ b/ops/machines/public01/default.nix
@ -19,6 +19,7 @@ in
    (mod "www/status.snix.dev.nix")
    (mod "www/auth.snix.dev.nix")
    (mod "www/git.snix.dev.nix")
+    (mod "www/cache.snix.dev.nix")
    (mod "known-hosts.nix")

    (depot.third_party.agenix.src + "/modules/age.nix")
--- a/ops/modules/harmonia.nix
+++ b/ops/modules/harmonia.nix
@ -0,0 +1,13 @@
+{ config, depot, ... }:
+
+{
+  age.secrets.binary-cache-key.file = depot.ops.secrets."binary-cache-key.age";
+
+  services.harmonia = {
+    enable = true;
+    signKeyPaths = [ config.age.secrets.binary-cache-key.path ];
+    # Set priority to be slightly lower than cache.nixos.org.
+    # This makes it so we only substitute from our binary cache stuff that's not in cache.nixos.org.
+    settings.priority = 41;
+  };
+}
--- a/ops/modules/www/cache.snix.dev.nix
+++ b/ops/modules/www/cache.snix.dev.nix
@ -0,0 +1,11 @@
+{
+  imports = [
+    ./base.nix
+  ];
+
+  services.nginx.virtualHosts."cache.snix.dev" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://build01.infra.snix.dev:5000";
+  };
+}
--- a/ops/secrets/binary-cache-key.age
+++ b/ops/secrets/binary-cache-key.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung Mvt2H8HIVtTny0FNpY48dTvrirjZQLiiItGYbvSDF2k
+QYXrPFDrbTcsPsYckMywPHxBcz9U9jmeHtxp2fhlvvE
+-> X25519 1WNt+6Y232vmWR+KCxbmbQxR7S/jRnNINlt80gnWZm4
+PSfiLR5P8JagitE6TTe0TPzo7jO8XSDP5GzVem3aJJc
+-> ssh-ed25519 C2zWnA KtVQ9FrDPb5aWIItjqvpEGxyXxPZtzkzI2H1XNXNzys
+lu47Bcf/uneALQWuYUX5UCDARP8fXuuj35Hvnmf1+uI
+-> ssh-ed25519 3T2Xig a8idcHw+7sG21f0WSDXytts+jHHM+HXybibC0e2NT1o
+DpTiMH2MGk1dilzWjBds326euAch5WZkiPRriY0jCzE
+--- dvNTh+2a+fsg0/WE12tJ5uHRAwcyMJSHLVO4jBqUh3U
+&›P°dg8	É5
WÎïÝˆyƒz¹£6á$w—ž¹ÿü¬çžÇZ<18>ºùA Á˜ïý¿}ÿ5ž[OµãU‘Ò¬zÂô<C382>Èm<C388>ÎæX=ç>\|M±Ÿv}Àý„ƒ°x°Á%±û eÀ¢Sqó²`¥<>ü¢¿É4h7.DêùfÍ\Sz|%½Þ÷Â[[›'U?û
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@ -45,6 +45,8 @@ in

  "grafana-oauth-secret.age" = public01Default;

+
+  "binary-cache-key.age" = build01Default;
  "buildkite-agent-token.age" = build01Default;
  "buildkite-ssh-private-key.age" = build01Default;
  "buildkite-besadii-config.age" = ciDefault;