From 7610a9c0e128fdbaeacd7f8901ec6a8306324e74 Mon Sep 17 00:00:00 2001
From: dust <john@ogle.fyi>
Date: Mon, 9 Feb 2026 08:10:17 -0800
Subject: [PATCH] feat(john-endesktop): add harmonia binary cache service

Replace broken k8s harmonia deployment with native NixOS service.

Configuration:
- services.harmonia.enable = true
- Bind to [::]:5000 (IPv4 and IPv6)
- Sign key at /etc/harmonia/signing-key.private
- Open firewall port 5000

The signing key must be placed manually on john-endesktop at
/etc/harmonia/signing-key.private using the key generated earlier.

Closes: x-fqaob
---
 machines/john-endesktop/configuration.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/machines/john-endesktop/configuration.nix b/machines/john-endesktop/configuration.nix
index 21d7690..49768df 100644
--- a/machines/john-endesktop/configuration.nix
+++ b/machines/john-endesktop/configuration.nix
@@ -54,6 +54,7 @@ with lib;
       4000  # nfs callback
       4001  # nlockmgr
       4002  # mountd
+      5000  # harmonia binary cache
       20048 # mountd
     ];
     allowedUDPPorts = [
@@ -148,6 +149,16 @@ with lib;
     };
   };
 
+  # Harmonia binary cache server
+  # Replaces the broken k8s deployment with native NixOS service
+  services.harmonia = {
+    enable = true;
+    signKeyPath = "/etc/harmonia/signing-key.private";
+    settings = {
+      bind = "[::]:5000";
+    };
+  };
+
   # Time zone
   time.timeZone = "America/Los_Angeles"; # Adjust as needed