manage a DigitalOcean virtual machine with nixos

Add a new machine on DigitalOcean and provision it using terraform + nixos-anywhere. This takes care of bringing the machine up on nixos completely, and use a static SSH host key in order to configure wireguard at the same time.
author: Franck Cuny <franck@fcuny.net> 2025-08-10 13:56:28 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-08-10 13:56:28 -0700
commit: 8247d060a6cae65b2d63fd6bd3bf19ed9e66214c (patch)
tree: b76329f5b7cc145d2f7bf5d8fd584790e18875f9 /profiles/default.nix
parent: flake.lock: Update (diff)
download: infra-8247d060a6cae65b2d63fd6bd3bf19ed9e66214c.tar.gz
1 files changed, 1 insertions, 10 deletions
diff --git a/profiles/default.nix b/profiles/default.nix
index 58c22eb..13b8759 100644
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -40,16 +40,6 @@
   ## only allow declarative user management
   users.mutableUsers = false;
 
-  services.openssh.enable = true;
-  services.openssh.settings.PasswordAuthentication = false;
-  services.openssh.settings.PermitRootLogin = "no";
-
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
-  ];
-
-  networking.firewall.allowedTCPPorts = [ 22 ];
-
   programs.fish.enable = true;
   security.sudo.wheelNeedsPassword = false;
 
@@ -67,6 +57,7 @@
     tcpdump
     traceroute
     vim
+    wireguard-tools
   ];
 
   ## disable that slow "building man-cache" step
author	Franck Cuny <franck@fcuny.net>	2025-08-10 13:56:28 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-08-10 13:56:28 -0700
commit	8247d060a6cae65b2d63fd6bd3bf19ed9e66214c (patch)
tree	b76329f5b7cc145d2f7bf5d8fd584790e18875f9 /profiles/default.nix
parent	flake.lock: Update (diff)
download	infra-8247d060a6cae65b2d63fd6bd3bf19ed9e66214c.tar.gz