From 3ba150a787e4a0a5efface9aa7904a5f88d29815 Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Tue, 6 Jan 2026 14:43:16 -0600
Subject: [PATCH 1/2] serve cache

---
 flakes/common/nix_modules/remote_lio_builds.nix | 7 +++++++
 hosts/lio/configuration.nix                     | 9 +++++++++
 2 files changed, 16 insertions(+)

diff --git a/flakes/common/nix_modules/remote_lio_builds.nix b/flakes/common/nix_modules/remote_lio_builds.nix
index aff5e272..4ef6615c 100644
--- a/flakes/common/nix_modules/remote_lio_builds.nix
+++ b/flakes/common/nix_modules/remote_lio_builds.nix
@@ -14,6 +14,13 @@ in
 {
   nix = lib.mkIf (hasSecret "nix2lio") {
     distributedBuilds = true;
+
+    # Prefer pulling from lio's binary cache when available.
+    settings = {
+      substituters = lib.mkAfter [ "http://lio:5000" ];
+      trusted-public-keys = lib.mkAfter [ "lio:9jKQ2xJyZjD0AWFzMcLe5dg3s8vOJ3uffujbUkBg4ms=" ];
+    };
+
     buildMachines = [
       {
         hostName = "lio";
diff --git a/hosts/lio/configuration.nix b/hosts/lio/configuration.nix
index 934447ee..401abf5a 100644
--- a/hosts/lio/configuration.nix
+++ b/hosts/lio/configuration.nix
@@ -28,6 +28,15 @@
       #   STOP_CHARGE_THRESH_BAT0 = 95;
       # };
     };
+
+    # Binary cache server (drop-in nix-serve replacement)
+    nix-serve = {
+      enable = true;
+      package = pkgs.nix-serve-ng;
+      port = 5000;
+      openFirewall = true;
+      secretKeyFile = "/var/lib/nix-serve/cache-priv-key.pem";
+    };
   };
 
   # Also allow this key to work for root user, this will let us use this as a remote builder easier

From 200fe2b85ed48c13a74d812038faa2274a843a69 Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Tue, 6 Jan 2026 14:45:16 -0600
Subject: [PATCH 2/2] dont expose port we hit it via tailscale

---
 hosts/lio/configuration.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/lio/configuration.nix b/hosts/lio/configuration.nix
index 401abf5a..5c1645be 100644
--- a/hosts/lio/configuration.nix
+++ b/hosts/lio/configuration.nix
@@ -34,7 +34,7 @@
       enable = true;
       package = pkgs.nix-serve-ng;
       port = 5000;
-      openFirewall = true;
+      # openFirewall = true;
       secretKeyFile = "/var/lib/nix-serve/cache-priv-key.pem";
     };
   };