From 0f369bdf6c130b7ec2950ca60464df6324e52e3b Mon Sep 17 00:00:00 2001 From: hektor Date: Thu, 22 Jan 2026 20:18:17 +0100 Subject: [PATCH] feat: set up colmena with hetzner stuff --- deploy/README.md | 9 +++ deploy/colmena.nix | 28 +++++++++ flake.lock | 95 ++++++++++++++++++++++++++++++- flake.nix | 12 ++++ home/hosts/andromache/default.nix | 2 +- home/hosts/astyanax/default.nix | 2 +- hosts/andromache/default.nix | 2 + hosts/astyanax/default.nix | 2 + hosts/hecuba/default.nix | 27 ++++++++- hosts/hecuba/ssh_host.pub | 1 + 10 files changed, 175 insertions(+), 5 deletions(-) create mode 100644 deploy/README.md create mode 100644 deploy/colmena.nix create mode 100644 hosts/hecuba/ssh_host.pub diff --git a/deploy/README.md b/deploy/README.md new file mode 100644 index 0000000..5567a86 --- /dev/null +++ b/deploy/README.md @@ -0,0 +1,9 @@ +# `colmena` deployments + +* tags: `local`, `cloud` +* deployments can be made from `astyanax` and `andromache` hosts + +## References + +- [docs: `colmena`](https://colmena.cli.rs/) +- [repo: `colmena`](https://github.com/zhaofengli/colmena) diff --git a/deploy/colmena.nix b/deploy/colmena.nix new file mode 100644 index 0000000..0eb7153 --- /dev/null +++ b/deploy/colmena.nix @@ -0,0 +1,28 @@ +{ + self, + inputs, +}: + +inputs.colmena.lib.makeHive { + meta = { + nixpkgs = import inputs.nixpkgs { + system = "x86_64-linux"; + }; + + nodeNixpkgs = builtins.mapAttrs (_: v: v.pkgs) self.nixosConfigurations; + nodeSpecialArgs = builtins.mapAttrs (_: v: v._module.specialArgs or { }) self.nixosConfigurations; + }; + + astyanax.deployment.tags = [ "local" ]; + + andromache.deployment.tags = [ "local" ]; + + vm.deployment.tags = [ "local" ]; + + hecuba.deployment = { + targetHost = "hecuba"; + targetUser = "username"; + targetPort = 22; + tags = [ "cloud" ]; + }; +} diff --git a/flake.lock b/flake.lock index 97004cd..ae34204 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,29 @@ { "nodes": { + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nix-github-actions": "nix-github-actions", + "nixpkgs": [ + "nixpkgs" + ], + "stable": "stable" + }, + "locked": { + "lastModified": 1762034856, + "narHash": "sha256-QVey3iP3UEoiFVXgypyjTvCrsIlA4ecx6Acaz5C8/PQ=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "349b035a5027f23d88eeb3bc41085d7ee29f18ed", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -43,6 +67,22 @@ "type": "gitlab" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -66,6 +106,21 @@ } }, "flake-utils": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "inputs": { "systems": "systems" }, @@ -122,6 +177,27 @@ "type": "github" } }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "colmena", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nix-secrets": { "flake": false, "locked": { @@ -157,7 +233,7 @@ }, "nixgl": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ] @@ -363,6 +439,7 @@ }, "root": { "inputs": { + "colmena": "colmena", "disko": "disko", "firefox-addons": "firefox-addons", "home-manager": "home-manager", @@ -394,6 +471,22 @@ "type": "github" } }, + "stable": { + "locked": { + "lastModified": 1750133334, + "narHash": "sha256-urV51uWH7fVnhIvsZIELIYalMYsyr2FCalvlRTzqWRw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "36ab78dab7da2e4e27911007033713bab534187b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 5310163..d22a007 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,10 @@ url = "path:./dots/.config/nvim"; inputs.nixpkgs.follows = "nixpkgs"; }; + colmena = { + url = "github:zhaofengli/colmena"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -48,6 +52,7 @@ nixgl, firefox-addons, nvim, + colmena, }@inputs: let inherit (self) outputs; @@ -82,5 +87,12 @@ }; }; }; + + colmenaHive = import ./deploy/colmena.nix { + inherit + self + inputs + ; + }; }; } diff --git a/home/hosts/andromache/default.nix b/home/hosts/andromache/default.nix index 7e04cf6..c9be6e0 100644 --- a/home/hosts/andromache/default.nix +++ b/home/hosts/andromache/default.nix @@ -13,7 +13,7 @@ in imports = [ ../../modules/desktop/niri ../../modules/git.nix - ../../modules/hetzner + # ../../modules/hetzner.nix ../../modules/k9s.nix ../../modules/kitty.nix ../../modules/ssh.nix diff --git a/home/hosts/astyanax/default.nix b/home/hosts/astyanax/default.nix index 3c4d742..fd403e0 100644 --- a/home/hosts/astyanax/default.nix +++ b/home/hosts/astyanax/default.nix @@ -13,7 +13,7 @@ in ../../modules/anki.nix ../../modules/desktop/niri ../../modules/git.nix - ../../modules/hetzner + # ../../modules/hetzner.nix ../../modules/k9s.nix ../../modules/kitty.nix ../../modules/ssh.nix diff --git a/hosts/andromache/default.nix b/hosts/andromache/default.nix index 3e144af..df8ead5 100644 --- a/hosts/andromache/default.nix +++ b/hosts/andromache/default.nix @@ -51,6 +51,8 @@ in secrets.username = username; docker.user = username; + nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_andromache.path ]; + disko.devices = { disk.data = { type = "disk"; diff --git a/hosts/astyanax/default.nix b/hosts/astyanax/default.nix index fa59542..a0d23c8 100644 --- a/hosts/astyanax/default.nix +++ b/hosts/astyanax/default.nix @@ -53,6 +53,8 @@ in secrets.username = username; docker.user = username; + nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ]; + hardware = { cpu.intel.updateMicrocode = true; # https://wiki.nixos.org/wiki/Intel_Graphics diff --git a/hosts/hecuba/default.nix b/hosts/hecuba/default.nix index 1305a44..062b05c 100644 --- a/hosts/hecuba/default.nix +++ b/hosts/hecuba/default.nix @@ -18,11 +18,17 @@ in ../../modules/common ./hard.nix ../../modules/ssh/hardened-openssh.nix + ../../modules/docker ]; networking.hostName = hostName; ssh.username = username; - ssh.authorizedHosts = [ "andromache" ]; + ssh.authorizedHosts = [ + "andromache" + "astyanax" + ]; + + docker.user = username; fileSystems."/" = { device = "/dev/disk/by-label/nixos"; @@ -51,7 +57,13 @@ in security.sudo.wheelNeedsPassword = false; - networking.firewall.enable = true; + networking.firewall = { + enable = true; + allowedTCPPorts = [ + 80 + 443 + ]; + }; environment.systemPackages = with pkgs; [ vim @@ -67,4 +79,15 @@ in enable = true; harden = true; }; + + nix.settings = { + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "astyanax:JY2qJkZUFSax47R3c1nq53AZ8GnLfNqz6mSnJ60cLZ4=" + "andromache:XM4VLrEw63RB/3v/56OxzH/Yw+kKXKMBLKCb7UGAXzo=" + ]; + auto-optimise-store = true; + keep-derivations = false; + keep-outputs = false; + }; } diff --git a/hosts/hecuba/ssh_host.pub b/hosts/hecuba/ssh_host.pub new file mode 100644 index 0000000..3061ddf --- /dev/null +++ b/hosts/hecuba/ssh_host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIffzYkin2QHGoaOKXbQv6pbim8SU1J+3vAf2vXerMj root@nixos