From 751edfc11dc5a99a102cb82719eafff2b355c8eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Tue, 10 Feb 2026 23:08:48 +0100
Subject: [PATCH] nix-cache02: add Harmonia binary cache service

- Parameterize harmonia.nix to use hostname-based Vault paths
- Add nix-cache services to nix-cache02
- Add Vault secret and variable for nix-cache02 signing key
- Add nix-cache02 public key to trusted-public-keys on all hosts
- Update plan doc to remove actions runner references

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 docs/plans/nix-cache-reprovision.md | 10 +++-------
 hosts/nix-cache02/default.nix       |  1 +
 services/nix-cache/harmonia.nix     |  2 +-
 system/nix.nix                      |  1 +
 terraform/vault/secrets.tf          |  7 ++++++-
 terraform/vault/variables.tf        |  9 ++++++++-
 6 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/docs/plans/nix-cache-reprovision.md b/docs/plans/nix-cache-reprovision.md
index 2bb57ef..229e3d8 100644
--- a/docs/plans/nix-cache-reprovision.md
+++ b/docs/plans/nix-cache-reprovision.md
@@ -59,7 +59,6 @@ The `homelab-deploy` tool was extended with a builder mode:
 ### Old System (nix-cache01)
 - Still running at 10.69.13.15
 - Serves binary cache via Harmonia
-- Runs Gitea Actions runner
 - Has the old `build-flakes.sh` timer (every 30 min)
 - Will be decommissioned after nix-cache02 is fully validated
 
@@ -69,7 +68,6 @@ The `homelab-deploy` tool was extended with a builder mode:
 - Metrics exposed on port 9973 (`homelab-deploy-builder` job)
 - Does NOT yet have:
   - Harmonia (binary cache server)
-  - Actions runner
   - Cache signing key
 
 ## Remaining Work
@@ -84,10 +82,9 @@ The `homelab-deploy` tool was extended with a builder mode:
 ### Phase 4: Complete Migration
 
 1. **Add Harmonia to nix-cache02** - Copy cache signing key, configure service
-2. **Add Actions runner to nix-cache02** - Configure with Vault token
-3. **Update DNS** - Point `nix-cache.home.2rjus.net` to nix-cache02
-4. **Increase RAM** - Bump to 24GB after nix-cache01 is gone
-5. **Decommission nix-cache01**:
+2. **Update DNS** - Point `nix-cache.home.2rjus.net` to nix-cache02
+3. **Increase RAM** - Bump to 24GB after nix-cache01 is gone
+4. **Decommission nix-cache01**:
    - Remove from `terraform/vms.tf`
    - Remove old build script (`services/nix-cache/build-flakes.nix`, `build-flakes.sh`)
    - Archive or delete host config
@@ -145,5 +142,4 @@ Available metrics:
 ## Open Questions
 
 - [ ] When to cut over DNS from nix-cache01 to nix-cache02?
-- [ ] Keep Actions runner on nix-cache02 or separate host?
 - [ ] Implement safe flake update workflow before or after full migration?
diff --git a/hosts/nix-cache02/default.nix b/hosts/nix-cache02/default.nix
index d44f078..e3d1fad 100644
--- a/hosts/nix-cache02/default.nix
+++ b/hosts/nix-cache02/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./configuration.nix
     ./builder.nix
+    ../../services/nix-cache
   ];
 }
\ No newline at end of file
diff --git a/services/nix-cache/harmonia.nix b/services/nix-cache/harmonia.nix
index caf37a4..63cacd7 100644
--- a/services/nix-cache/harmonia.nix
+++ b/services/nix-cache/harmonia.nix
@@ -1,7 +1,7 @@
 { pkgs, config, ... }:
 {
   vault.secrets.cache-secret = {
-    secretPath = "hosts/nix-cache01/cache-secret";
+    secretPath = "hosts/${config.networking.hostName}/cache-secret";
     extractKey = "key";
     outputDir = "/run/secrets/cache-secret";
     services = [ "harmonia" ];
diff --git a/system/nix.nix b/system/nix.nix
index f50d35c..efc417e 100644
--- a/system/nix.nix
+++ b/system/nix.nix
@@ -43,6 +43,7 @@ in
       ];
       trusted-public-keys = [
         "nix-cache.home.2rjus.net-1:2kowZOG6pvhoK4AHVO3alBlvcghH20wchzoR0V86UWI="
+        "nix-cache02.home.2rjus.net-1:QyT5FAvJtV+EPQrgQQ6iV9JMg1kRiWuIAJftM35QMls="
         "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
         "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
       ];
diff --git a/terraform/vault/secrets.tf b/terraform/vault/secrets.tf
index 04c6b56..b0b3b7f 100644
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -75,12 +75,17 @@ locals {
       data          = { private_key = var.wireguard_private_key }
     }
 
-    # Nix cache signing key
+    # Nix cache signing keys
     "hosts/nix-cache01/cache-secret" = {
       auto_generate = false
       data          = { key = var.cache_signing_key }
     }
 
+    "hosts/nix-cache02/cache-secret" = {
+      auto_generate = false
+      data          = { key = var.cache_signing_key_02 }
+    }
+
     # Homelab-deploy NKeys
     "shared/homelab-deploy/listener-nkey" = {
       auto_generate = false
diff --git a/terraform/vault/variables.tf b/terraform/vault/variables.tf
index dfde6b6..972ce64 100644
--- a/terraform/vault/variables.tf
+++ b/terraform/vault/variables.tf
@@ -41,11 +41,18 @@ variable "wireguard_private_key" {
 }
 
 variable "cache_signing_key" {
-  description = "Nix binary cache signing key"
+  description = "Nix binary cache signing key (nix-cache01)"
   type        = string
   sensitive   = true
 }
 
+variable "cache_signing_key_02" {
+  description = "Nix binary cache signing key (nix-cache02)"
+  type        = string
+  default     = "PLACEHOLDER"
+  sensitive   = true
+}
+
 variable "homelab_deploy_listener_nkey" {
   description = "NKey seed for homelab-deploy listeners"
   type        = string