feat: set up colmena with hetzner stuff

hosts/hecuba/default.nix

@@ -18,11 +18,17 @@ in
     ../../modules/common
     ./hard.nix
     ../../modules/ssh/hardened-openssh.nix
+    ../../modules/docker
   ];
 
   networking.hostName = hostName;
   ssh.username = username;
-  ssh.authorizedHosts = [ "andromache" ];
+  ssh.authorizedHosts = [
+    "andromache"
+    "astyanax"
+  ];
+
+  docker.user = username;
 
   fileSystems."/" = {
     device = "/dev/disk/by-label/nixos";
@@ -51,7 +57,13 @@ in
 
   security.sudo.wheelNeedsPassword = false;
 
-  networking.firewall.enable = true;
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80
+      443
+    ];
+  };
 
   environment.systemPackages = with pkgs; [
     vim
@@ -67,4 +79,15 @@ in
     enable = true;
     harden = true;
   };
+
+  nix.settings = {
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "astyanax:JY2qJkZUFSax47R3c1nq53AZ8GnLfNqz6mSnJ60cLZ4="
+      "andromache:XM4VLrEw63RB/3v/56OxzH/Yw+kKXKMBLKCb7UGAXzo="
+    ];
+    auto-optimise-store = true;
+    keep-derivations = false;
+    keep-outputs = false;
+  };
 }