diff --git a/hosts/algiz/README.md b/hosts/algiz/README.md
index 7527984..0a27e7b 100644
--- a/hosts/algiz/README.md
+++ b/hosts/algiz/README.md
@@ -45,3 +45,19 @@ atticd-atticadm make-token --sub daylin --push "*" --pull "*" --validity '1y' --
 
 If I handled secrets via `sops` or `agenix` I think this could be stored directly in the repo.
 I also had to modify the firewall so that docker would forward along the requests by caddy to `host.docker.internal` correctly.
+
+## Setting up Harmonia
+
+Generated a signing key with the following command:
+
+```sh
+nix-store --generate-binary-cache-key nix-cache.dayl.in-1 ./secret ./public
+```
+
+public key:
+
+```txt
+nix-cache.dayl.in-1:lj22Sov7m1snupBz/43O1fxyEfy/S7cxBpweD7iREcs=
+```
+
+Then enabled the service using the nixos module and used sops to store the private key.
diff --git a/hosts/algiz/secrets.nix b/hosts/algiz/secrets.nix
index a39fe27..5c25355 100644
--- a/hosts/algiz/secrets.nix
+++ b/hosts/algiz/secrets.nix
@@ -7,6 +7,7 @@
     # by default is accessible only by root:root which should work with above service
     secrets.restic-algiz = { };
     secrets.atticd-env = { };
+    secrets.harmonia-key = {};
   };
 
 }
diff --git a/hosts/algiz/secrets.yaml b/hosts/algiz/secrets.yaml
index 915adf4..7c46c75 100644
--- a/hosts/algiz/secrets.yaml
+++ b/hosts/algiz/secrets.yaml
@@ -1,5 +1,6 @@
 restic-algiz: ENC[AES256_GCM,data:r7z1s5pSEIlg2laRmY4D,iv:nfajL8J2A8G80NqMBw/t1tFXCsK9JbTzUgFTisf5JLk=,tag:LWOT9vVzuinXD+AYwk35jA==,type:str]
 atticd-env: ENC[AES256_GCM,data:1g89RSXvMSm1lyEp+ndCAEB+Y/sSpbcbiOb4tuhu9PbUMSCYJwNTLpx+iHb9WZI5B8jlR/Hu9fVxJS/2vkYftrfueeMFktfnfphWphTtPRr5TBYIMhc5XNnJTpYiweLJjoNXQursZIm5U8N74FDAO4KPNVbgU0Sh/AikJwAF23S2eqKKr7hdizaj94k6Fc77o/ckWrx5r+o9Sl+XqB8WN1pJlKI1rDHigjHx3j/I1WBAiRhqApyav1QPfQe7zi7NCvhJaxIuTtCLpu9tB6l5z1ZzIlAlN9CqqAMdeXvfMoGLOxaYlu0zCfWZ9WT8mIxG3HWSurv8tfn0dtShWJnlfKNAn4GvM2y+EEmco1YaYMtbPcX1+xCN2D/+RHMty5zQ3tbVUxh6Vw0doiLVaLk8P/kKwkE0OdpHBTjmoi1Jw94xpDd0vAbERfvzDb//lpQNm1HBCJGSu/sGBrrqgLn6aqCwW/J2m2rYkkSL1+0NJN8nJD3MMSti+V072cqSxs9lqldGReG9maXgt17dxShuW63RqpXCsY5jir//Uvt7mz3/iz4Pq8ycPIKSedqApSo+qL4iI23Xunt49ch01oF3BRncLB++Q36xultHBT+HzOEkQUGXKwP2OFzJO5FwAkB8Y6WtktGcmESouBBy4EUD6M+pDb1MF54jTlwIM4mkbmg33nYEFjEeG/Jh5kMaJR4mrnJDOwQUC28NG9rD+HY8Uj1UHyz6hYhakDSYt4b1AsKesrwjTqNqq0kytobxjlHmOa74Bng7pKtOo/h0kyXAwitUgY7CVVLIqqwdvBsxEl9qYJRDgGZrKYZiURseREcKwTiVLN8Gp6JOHM+eGAcD2x1jxpLygg65c337x3Icv1Y3xSTrdvpkla556svyddDIv0AlG8wewPfGPKWNowAqg3ABbVwia49c2FRihve3FXUxIMobT2ASJWwZ/5Trx147SXkDL5N9R9dQEAE3Wk2JkIEk9UjKjNsMwzI3FMJMUPgr4O5mYBStBTKV49s26SvLfVGWCEf/Pyr0FRqsavpo6QWYL44w0wRrG6I/5rEU2BthYkTOXiEqYkDcyOWMYYRb3/FVmyLZCp4MVPMmUji/2E4dNha6XpkLt7T5dgVe25HAHsIZXg/f/vv7Pmco7xcBBffjAl1Gy8r1jqOZtcNilJcMJM96/x6TBeCN5uHEvE8TCkuEpSvfNnAnNFqEQd4fjJ1zl38AQrDbt3PmcE2xfB08pnumURBrse07bja5FuEKjm8y78ilyLSMs2bBOEvvk2PmwEnWOl0aapDbByyiuIWhyHzGn50aPX/0S8xqmjx+7EuEKN86GgiRAacaiH/EB0FS/IzD9eaBFJvlqEPyPrm/RFQmj0uE0o1jQMlUi+onmZIOz+TWxf2CnJOtgr8KJLs9imVmQoXxoAq/oaFWZQDoM5ljqa8qMsAoQTdmHL69wtYwbiagIEIq7ubQHDezkM4BtS+YZS6masGZEDAVfpvfznnU03pVAwrAqcTjbrQ/bv8fBBphny0QkGw12LsXkcUsNfC7TuN9hES5jULxYA+VZ4SYLqYa39G36qfndw5MMpLBCCkWrrfP2BGcO+Htqur4HcONER8IpAMsF7hqsLo44TeNHxJsFCZdf7Sb//KrOon/lDcNkYmEvU3u28TzgjipNi3dvaXcY4uhz6pCgBozs838qb6DBPDjL6v23B6m97+BOtjS8F9sRBAtRhXDp0/nRbWwK3jwdugS+UA/s4hdM2RxkZkdNteW5HRcX/GRocT9HEqojFPIB9FrSWgs4QSHUdly4boi9A/CXudRUEWUuwcJTKaQcbtdBdxmmVR9zq4sX00470cD+qPVqhc+QPfcj70iPtWxAbBqwQ1YEHhYM3B750mfIe2/oLxU1KZodygFfmOr9Yc+o45DtaWJwf/mUfxkWXDFjHhEEyHovsM63I/sQIOWYvmXg0dqwXg4MWk7siBwhcQZE4ppT6MmN1f5HVI3r6r8jv+RcHjYbn29P8gI8a9jiXvYXO2eQj7kziB+TWu9NvYzU9MqFNY9PiCJNBMpnuEFRtsd6xltr+xvEPLNZhBDMo+v4iIbA42f678RgNqlRvzS5cG+lXTGxovWGXyDCzINNmcCu8LFj2UbcKmYtZ/fpkoxrC5YOYWPNsz0Vyx6DdNg+pQUeUQiZZZsstvrGWXpOHXdS3x1OqI07panF7xxWR2mB1x/fnqlcwaJ4b1yOV28ysTqkSrzt8tBCxZtZYJ95csYdw0MpTg4rvbo/1O7d337lItOgQHUHLhSQnI7QiGvAOvHzY3eALJTXrhuVQSaopy6QcE+tiGsulQPrBwaVJB5XMZ61JjtfXubyyROYAej1/7cLU3r0mI2kWfSvmxbj4IL17cbbhuDXRaUDhpOSyuIYB+RjNJ8gnHpy8MmOBAC5aEYD+9DvjEcNIOKDMm/8lFkWsqviWPVtpO+/GHKKN4D1AkGUWNTUX7USG+gXTxkeWFNTjMwXgCMOUyVRp6FIM/eMG+5ZjXBk2w28BJ7kXzsCVDLXriHZhfGN36gsdaAe/8ACUvvLo1lESIIUKk5xuknHUcUMP76zZen63SJxoW/3Kp4zIlPktVnPZs+6H5HRIQhaRJVrHuceNLAB+MAyQfRPxalq1j22Q9hfpnZIyc/pa4j3VnsmYUXSA3F6UpLimUWE85fx58CjmTkxHZwra0aIJMp3hRJSdziUIXy53qp1bOVePRK028rd0yqJTQGp5l9RHE7yMXjEn2XF9zQHLm7+U8lOaT4omaOHZir4zvBbvzSjuXh4TQSe1lQ2qwzYjuIGjmCSlQ6yvhuyl7681ZHZ6zPFylkRU1TJbcj06IfAN6qEcIBxZ1MpSiNi0ClX+zl0iNXJ6cCWpljt9oCx4rnz9f2p2fuJn2z0kYSAM7ro4HFkBsOuKi4YmiMX4K4VEZWkYq0OKMSs59GZfMeBqZ8/RcCJLcvZ5nOEOrDk3MQo8KLxM8/37Mu6cg+wWXwflqji37/flqqBylWMqZgPzgtcWTjk2XnrcRSO6nxp0LPkTxYWNh5BiILpx2FwdfRTWz6GVH3/j1UGqKHkrHASUZv2Z6slXHhErgy8nv8vE8yDQPvHmfIC6eoHtb8n0dt8YV+0VLk7+M5+JDd4lw1UdTi29SyOOmcjUjMmaW/elicSM3mH+ioqoTJ97d1wdFqW7QyIXvTkE20QmGbd/q9xcl0h8BJMcuWSwOjou4tyIo3qz7Q98awvOpo2JgSSSati6Q/9uD79r1ylwtVMZ5ASYCUZxV+YEs0iZxMPSjXgx+s5qVwhoMRaExR29+X9eOR+Ej29Mkd5rgZVyGKd+L/4+YGJ5ujaeeD3aUValRAQjoLCHEpGjQoBG6l5mN7PHEVrpL/ygkoT+nVxpNiPNgjsrgc/TWn3nwlM3y2kSDuOXr3ZUEK2U2K+pzLjhxGw1NEYPqoa91uBkSQ7yrIoUz7HczcquSeXp8Sra2yqL9QXVHtDiGWxx0CYNKHFNQZTF7G/cEvpcp2pY+ZzudCT+tjdX78X7MZYS3CyqBrn6K37J6vZ6tagAKdM5hXExWZs+KEuOKGS/4ZVM0rbIaqSW2TxJ1h0opZFpcRp8mPd608o5eRQCQwLPzsNFcOiipbrnSH0VomDt7ZaLx2q2KVqtSA1sAv8+4eE5O/K0ULQj6+Bt/Lxzy66Ptk22Cj6Sbcn7ti/o9LD4W8eCkOH+UGBHhGcmy97jloNTPWN1V78LZl6h3zZguFzx91Gk+Kzj3opxX4MzRlmGofemP/5xTcxz0caQV8V4/7AthSkhk0UH0lQwdgzvAWscbCxrHSlgg08fta6KcGu6zsFOcUwAAvZzzFGzfz4m6YEgHoDASDFxf7litdWsYv/tT/Ajo38Cu+P8GMTRd0ZjTkLAPptZZjIFh24He9GtikM0LdI0t3rU5/KG/RvsRfKBZ/Nz5whY6yc8RviFzmP/V8/BF2IqUkUVcux/gui2v9zJxRg9e7whKDvimC/yiPIIeXGEn58go/XO6QbKMKVQyUG9DfqKiS0uUXfuMx6lQfjDOMgwTpZnd6LryUsNTbsGKCgPpsLGvHgAKs/TovUEZFTdBvoLekYHpHisz5VzqciMK6b0ZpbWvFBD9hwgpqsUUgR6x90/wwMzQUWnvCPG7utNvfCEItpq9ab5zGv7ESPG8evF5T+DRHZlVSbUasQPK9igK3iZ+CofXBAq4+wTtsnair2NL/ps7+5oLNZB7RaQU+PBnCaerBiG4iQT4YvqKMtCTbZznKGjUQinUuSkGC+QCXIFw9VHUaI2NbzbcphyY/zphO3ZcOSweINOCw/kzBudlQ3Zsa5NGTjBkjlenGwYjfg8Mc2l1q6/2paiHbCSzaDNHxUnV+5leBkeH2leT6v8aARBMM1azyRPn2lz5KgQ+LN4o1XmCmo2BeSoVSMnyhj8zygYZLywgfiN7k/BgrY06OyVQNTt0C4PeIvQuNHEJnpabahyJvE2gpmknjN0DAeYdTkqTejoYpGtR/xltDLvs+/1oCPYP9ik6cwFwa59eFIbObnpuoH93MsTiyV2dkasjLqzqB8kkO7m2IhDoWOFMZyEmTFY0nzbYwdh2rLdHceGz5gXYITvcEDCTsg86jN8bU86KpCH/dYInyyYO//tJPx91kOS8vavIvvbd33kbFJtzvb4bq36Na0uFQIL97vxxXvK80gP7DDUyOnMee9IdKGswUKrvvoszlQV/SrlzPS65MpDjJr+SqcFXUSdsbibNDIHtNw37Qy0TYNwQJAH80kws4wYUYzLAoHxPag6drGI2byrVKdK00GJnXV2hb3yGdIRGbrCs6PKWeLnctufwCtYFIouBXm2K+urmiqB+GCTQsS1730sj8kbHC1y+ClUv12FYKJYrA2WoSpHZ1hBNEEdL/aahPhYGUoCALHDpUaC/6ZTNYLw8y4XfcABF1bUOkU7P8PIatls9lOIN2kapsGg/WHW/oWZNynkv6qAeP41kz4wK0V7qVgyvxtooJpmDkMECF7EVSXIBloe26M4NNtClhaq2vbU94+enLpm1DTxJWcaiA06kJo+x33Rwx4/5Oh8xvQKPLMGJYrBLSRBsu7wMM0c9gOmjjc5NXoYNPZNOOCGfUeZ+io7EfC3UuxdJY3O1gWyZxzvO+PYn9zu79Tk8MhQYXezhMoVgrLFpZCq+6zPqXMgKjPNXV6gPJspeySVYc7w94I4q4K7yWvYnCkWL68+tA4nH3PKkcqrffd5AiBGvw50zBi04cN5rD5izqyD6SMgHBgV6TpMkojV64G7ExNo5CmZgznS2vJFRv2Hr7pGGatPZGjVKcsec27Hi6SYxfQGulgwOcLZs1EygoppMjRCxkrsxLnJba3rC0nEsPnM+guwUC/hPOrQ/QPo9MIE7QRtjfhDgKqLwcuZg9iI+qezJ8wr64coOb/JSA76vCIig1B/AmF1IVBbi/4wslfj95nVoRilcF/3b/+zc1obBHpq25/VGl0MSsnK7EhfSGdX/vmp358/fqqPgfBThUz1JsF3Rs3VzK6bmNQx0tS6KChZhBozChtT/nLCqDqznkiA6zGHb9m0H2USgzohWg5A+pZFBjuZm/CAM3iAECzA/MDQs15xzfop1rjRLpxnGuuViILZ+FZSWZfdWIq9X6VufTtcgnjU686bD+6tKNajyr6BdMGpkVunU6ji7++DiXBqcwLf/xl2oLDgcxkoA4tZG9bURkDFkTW2TEqmAJFkV93yIz8hekRi8+NNTNODx6kIhc2TXNGhI4jQxn+7wtub/cgSt3hlBaz37B7qPtv4XSxKDEWO4Zuw==,iv:daN5ZNc34U7W2VaVRNxOeJ4WkhewD9jSB+5gKB+DR50=,tag:6f8DD8lt22bMy7BtYXJ6Zg==,type:str]
+harmonia-key: ENC[AES256_GCM,data:NLXfyxAcOjIdCM/zNAPC/ZSK+6bbDrsVdX8FYqDofovLQaFrATuY43zbBtdJI0s+lBUjeCCnKAKkjrOkfoojnTJobi/7V0YIPvc+aetF87w6YHKhxjIWKYtJbHY1DffFYmIQZ8WE7E/cr/55,iv:xRW6L3QQiynuqZkHxCcEsLtk+1qWJHlxM7FXSH8VF4A=,tag:TAcYnSbfrVshHe/bd6ZG5Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +25,8 @@ sops:
             VGJ3VDErbWtnMElrRDNpK2RZTC9MY1kK93dUrPBjgL6kpLBUS3+b14R+bm/AFE/T
             sm7mxMUVNQVBIYshcl/WtD0yoYDHwW6uLc+KaCwhYDiMFz45zHcn0Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-31T16:21:32Z"
-    mac: ENC[AES256_GCM,data:SDuACnnJ1+ZHha9uBDnSQvoZzzLM0U7aCAqNde5PYre9EKdElx8jBLGwRcANEIGrHPZrQ0VMIB+fphGi0+UFy0VfI6iR+RjDjnPSp6FV8IzITimrHskKmfPCWB6FvEygkLUkRuWKc2uWGc2cL39wyHRIQiK8oK4/iP9TdXEOtPI=,iv:QFUYCd+99D7x+ukzIYPbY2wszDzyk/x898GoZDMeR/U=,tag:lRvt5LiwETbl3TQ4bx5auw==,type:str]
+    lastmodified: "2025-02-12T16:17:36Z"
+    mac: ENC[AES256_GCM,data:uv68SbaUGL2sC5sNcfykWr7LZRIqjO6Rde0Q0yyiMY0E4Yuf4dcqttENSIgLvgDpy1irv2r+GM0GYBzDcKE2DMoFIOT3cYLUBuB4F+vrnv7FD7DF4bx6tr5y8uMwXQxYB9e4p2Mrl8THgFzTZBhHDsMIduigNupnOXj4bazqG6E=,iv:s9pujNmG8JYpPdgtU90w2dCQE3VtKTS4JrfDin1eVME=,tag:U5WOgwu2wrAsIPi8p9r/Xw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
diff --git a/hosts/algiz/services.nix b/hosts/algiz/services.nix
index 112f61d..7cfd3d8 100644
--- a/hosts/algiz/services.nix
+++ b/hosts/algiz/services.nix
@@ -6,6 +6,7 @@
 }:
 let
   atticPort = "5656";
+  harmoniaPort = "5657";
   static = pkgs.runCommandLocal "static-files" { } ''
     mkdir $out
     cp ${./caddy/index.html} $out/index.html
@@ -70,19 +71,33 @@ in
     };
   };
 
+  services.harmonia = enabled // {
+    signKeyPaths = [ config.sops.secrets.harmonia-key.path ];
+    settings = {
+      bind = "[::]:${harmoniaPort}";
+    };
+  };
+
   services.caddy = enabled // {
     extraConfig = builtins.readFile ./caddy/Caddyfile;
-    virtualHosts."attic.dayl.in".extraConfig = ''
-      redir /oizys /
 
-      handle / {
-        root * ${static}
-        file_server
-      }
+    virtualHosts = {
+      "attic.dayl.in".extraConfig = ''
+        redir /oizys /
 
-      handle /* {
-        reverse_proxy http://localhost:${atticPort}
-      }
-    '';
+        handle / {
+          root * ${static}
+          file_server
+        }
+
+        handle /* {
+          reverse_proxy http://localhost:${atticPort}
+        }
+      '';
+
+      "nix-cache.dayl.in".extraConfig = ''
+        reverse_proxy http://localhost:${harmoniaPort}
+      '';
+    };
   };
 }
diff --git a/modules/essentials.nix b/modules/essentials.nix
index 7c6d078..7763b6b 100644
--- a/modules/essentials.nix
+++ b/modules/essentials.nix
@@ -55,12 +55,14 @@
       accept-flake-config = true;
       extra-substituters = [
         "https://attic.dayl.in/oizys"
+        "https://nix-cache.dayl.in"
         # "https://nixpkgs-wayland.cachix.org"
         # "https://hyprland.cachix.org"
         # "https://daylin.cachix.org"
       ];
       extra-trusted-public-keys = [
         "oizys:DSw3mwVMM/Y+PXSVpkDlU5dLwlORuiJRGPkwr5INSMc="
+        "nix-cache.dayl.in-1:lj22Sov7m1snupBz/43O1fxyEfy/S7cxBpweD7iREcs="
         # "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
         # "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
         # "daylin.cachix.org-1:fLdSnbhKjtOVea6H9KqXeir+PyhO+sDSPhEW66ClE/k="