Setup binary cache on c3 and optimize nix settings.

common/binary-cache-server.nix

@@ -0,0 +1,53 @@
+{ config, pkgs, lib, ... }:
+{
+  # Binary cache server using nix-serve
+  # Serves built packages to other hosts in the cluster for faster rebuilds
+  #
+  # Setup:
+  # 1. Deploy this host first
+  # 2. SSH in and get public key: cat /persist/nix-cache/cache-pub-key.txt
+  # 3. Add that key to common/global/nix.nix in trusted-public-keys
+  # 4. Deploy all other hosts to pick up the cache
+
+  # Ensure cache directory is persisted
+  environment.persistence."/persist".directories = [
+    { directory = "/var/nix-cache"; user = "nix-serve"; group = "nix-serve"; mode = "0755"; }
+  ];
+
+  # Auto-generate cache keys on first boot
+  systemd.services.nix-cache-key-init = {
+    description = "Generate binary cache keys if missing";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "nix-serve.service" ];
+    path = [ pkgs.nix ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      CACHE_DIR="/persist/nix-cache"
+      mkdir -p "$CACHE_DIR"
+
+      if [ ! -f "$CACHE_DIR/cache-priv-key.pem" ]; then
+        echo "Generating binary cache key pair..."
+        nix-store --generate-binary-cache-key ${config.networking.hostName}-cache "$CACHE_DIR/cache-priv-key.pem" "$CACHE_DIR/cache-pub-key.txt"
+        chmod 600 "$CACHE_DIR/cache-priv-key.pem"
+        chmod 644 "$CACHE_DIR/cache-pub-key.txt"
+        echo "Binary cache keys generated at $CACHE_DIR"
+        echo "Public key:"
+        cat "$CACHE_DIR/cache-pub-key.txt"
+      fi
+    '';
+  };
+
+  # Enable nix-serve
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = "/persist/nix-cache/cache-priv-key.pem";
+    bindAddress = "0.0.0.0";
+    port = 5000;
+  };
+
+  # Open firewall for LAN access
+  networking.firewall.allowedTCPPorts = [ 5000 ];
+}