feat: set up colmena with hetzner stuff

hosts/andromache/default.nix

@@ -51,6 +51,8 @@ in
   secrets.username = username;
   docker.user = username;
 
+  nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_andromache.path ];
+
   disko.devices = {
     disk.data = {
       type = "disk";

hosts/astyanax/default.nix

@@ -53,6 +53,8 @@ in
   secrets.username = username;
   docker.user = username;
 
+  nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ];
+
   hardware = {
     cpu.intel.updateMicrocode = true;
     # https://wiki.nixos.org/wiki/Intel_Graphics

hosts/hecuba/default.nix

@@ -18,11 +18,17 @@ in
     ../../modules/common
     ./hard.nix
     ../../modules/ssh/hardened-openssh.nix
+    ../../modules/docker
   ];
 
   networking.hostName = hostName;
   ssh.username = username;
-  ssh.authorizedHosts = [ "andromache" ];
+  ssh.authorizedHosts = [
+    "andromache"
+    "astyanax"
+  ];
+
+  docker.user = username;
 
   fileSystems."/" = {
     device = "/dev/disk/by-label/nixos";
@@ -51,7 +57,13 @@ in
 
   security.sudo.wheelNeedsPassword = false;
 
-  networking.firewall.enable = true;
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+    ];
+  };
 
   environment.systemPackages = with pkgs; [
     vim
@@ -67,4 +79,15 @@ in
     enable = true;
     harden = true;
   };
+
+  nix.settings = {
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "astyanax:JY2qJkZUFSax47R3c1nq53AZ8GnLfNqz6mSnJ60cLZ4="
+      "andromache:XM4VLrEw63RB/3v/56OxzH/Yw+kKXKMBLKCb7UGAXzo="
+    ];
+    auto-optimise-store = true;
+    keep-derivations = false;
+    keep-outputs = false;
+  };
 }

hosts/hecuba/ssh_host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIffzYkin2QHGoaOKXbQv6pbim8SU1J+3vAf2vXerMj root@nixos