feat: set up colmena with hetzner stuff

2026-01-22 20:18:17 +01:00
parent 600e55de1f
commit 0f369bdf6c
10 changed files with 175 additions and 5 deletions
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -0,0 +1,9 @@
+# `colmena` deployments
+
+* tags: `local`, `cloud`
+* deployments can be made from `astyanax` and `andromache` hosts
+
+## References
+
+- [docs: `colmena`](https://colmena.cli.rs/)
+- [repo: `colmena`](https://github.com/zhaofengli/colmena)
--- a/deploy/colmena.nix
+++ b/deploy/colmena.nix
@@ -0,0 +1,28 @@
+{
+  self,
+  inputs,
+}:
+
+inputs.colmena.lib.makeHive {
+  meta = {
+    nixpkgs = import inputs.nixpkgs {
+      system = "x86_64-linux";
+    };
+
+    nodeNixpkgs = builtins.mapAttrs (_: v: v.pkgs) self.nixosConfigurations;
+    nodeSpecialArgs = builtins.mapAttrs (_: v: v._module.specialArgs or { }) self.nixosConfigurations;
+  };
+
+  astyanax.deployment.tags = [ "local" ];
+
+  andromache.deployment.tags = [ "local" ];
+
+  vm.deployment.tags = [ "local" ];
+
+  hecuba.deployment = {
+    targetHost = "hecuba";
+    targetUser = "username";
+    targetPort = 22;
+    tags = [ "cloud" ];
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,29 @@
 {
  "nodes": {
+    "colmena": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "stable": "stable"
+      },
+      "locked": {
+        "lastModified": 1762034856,
+        "narHash": "sha256-QVey3iP3UEoiFVXgypyjTvCrsIlA4ecx6Acaz5C8/PQ=",
+        "owner": "zhaofengli",
+        "repo": "colmena",
+        "rev": "349b035a5027f23d88eeb3bc41085d7ee29f18ed",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "repo": "colmena",
+        "type": "github"
+      }
+    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@@ -43,6 +67,22 @@
        "type": "gitlab"
      }
    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
@@ -66,6 +106,21 @@
      }
    },
    "flake-utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
      "inputs": {
        "systems": "systems"
      },
@@ -122,6 +177,27 @@
        "type": "github"
      }
    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "colmena",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729742964,
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
    "nix-secrets": {
      "flake": false,
      "locked": {
@@ -157,7 +233,7 @@
    },
    "nixgl": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "nixpkgs"
        ]
@@ -363,6 +439,7 @@
    },
    "root": {
      "inputs": {
+        "colmena": "colmena",
        "disko": "disko",
        "firefox-addons": "firefox-addons",
        "home-manager": "home-manager",
@@ -394,6 +471,22 @@
        "type": "github"
      }
    },
+    "stable": {
+      "locked": {
+        "lastModified": 1750133334,
+        "narHash": "sha256-urV51uWH7fVnhIvsZIELIYalMYsyr2FCalvlRTzqWRw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "36ab78dab7da2e4e27911007033713bab534187b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@@ -34,6 +34,10 @@
      url = "path:./dots/.config/nvim";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    colmena = {
+      url = "github:zhaofengli/colmena";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs =
@@ -48,6 +52,7 @@
      nixgl,
      firefox-addons,
      nvim,
+      colmena,
    }@inputs:
    let
      inherit (self) outputs;
@@ -82,5 +87,12 @@
          };
        };
      };
+
+      colmenaHive = import ./deploy/colmena.nix {
+        inherit
+          self
+          inputs
+          ;
+      };
    };
 }
--- a/home/hosts/andromache/default.nix
+++ b/home/hosts/andromache/default.nix
@@ -13,7 +13,7 @@ in
  imports = [
    ../../modules/desktop/niri
    ../../modules/git.nix
-    ../../modules/hetzner
+    # ../../modules/hetzner.nix
    ../../modules/k9s.nix
    ../../modules/kitty.nix
    ../../modules/ssh.nix
--- a/home/hosts/astyanax/default.nix
+++ b/home/hosts/astyanax/default.nix
@@ -13,7 +13,7 @@ in
    ../../modules/anki.nix
    ../../modules/desktop/niri
    ../../modules/git.nix
-    ../../modules/hetzner
+    # ../../modules/hetzner.nix
    ../../modules/k9s.nix
    ../../modules/kitty.nix
    ../../modules/ssh.nix
--- a/hosts/andromache/default.nix
+++ b/hosts/andromache/default.nix
@@ -51,6 +51,8 @@ in
  secrets.username = username;
  docker.user = username;

+  nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_andromache.path ];
+
  disko.devices = {
    disk.data = {
      type = "disk";
--- a/hosts/astyanax/default.nix
+++ b/hosts/astyanax/default.nix
@@ -53,6 +53,8 @@ in
  secrets.username = username;
  docker.user = username;

+  nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ];
+
  hardware = {
    cpu.intel.updateMicrocode = true;
    # https://wiki.nixos.org/wiki/Intel_Graphics
--- a/hosts/hecuba/default.nix
+++ b/hosts/hecuba/default.nix
@@ -18,11 +18,17 @@ in
    ../../modules/common
    ./hard.nix
    ../../modules/ssh/hardened-openssh.nix
+    ../../modules/docker
  ];

  networking.hostName = hostName;
  ssh.username = username;
-  ssh.authorizedHosts = [ "andromache" ];
+  ssh.authorizedHosts = [
+    "andromache"
+    "astyanax"
+  ];
+
+  docker.user = username;

  fileSystems."/" = {
    device = "/dev/disk/by-label/nixos";
@@ -51,7 +57,13 @@ in

  security.sudo.wheelNeedsPassword = false;

-  networking.firewall.enable = true;
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+    ];
+  };

  environment.systemPackages = with pkgs; [
    vim
@@ -67,4 +79,15 @@ in
    enable = true;
    harden = true;
  };
+
+  nix.settings = {
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "astyanax:JY2qJkZUFSax47R3c1nq53AZ8GnLfNqz6mSnJ60cLZ4="
+      "andromache:XM4VLrEw63RB/3v/56OxzH/Yw+kKXKMBLKCb7UGAXzo="
+    ];
+    auto-optimise-store = true;
+    keep-derivations = false;
+    keep-outputs = false;
+  };
 }
--- a/hosts/hecuba/ssh_host.pub
+++ b/hosts/hecuba/ssh_host.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIffzYkin2QHGoaOKXbQv6pbim8SU1J+3vAf2vXerMj root@nixos
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIffzYkin2QHGoaOKXbQv6pbim8SU1J+3vAf2vXerMj root@nixos`