manage a DigitalOcean virtual machine with nixos

Add a new machine on DigitalOcean and provision it using terraform + nixos-anywhere. This takes care of bringing the machine up on nixos completely, and use a static SSH host key in order to configure wireguard at the same time.
author: Franck Cuny <franck@fcuny.net> 2025-08-10 13:56:28 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-08-10 13:56:28 -0700
commit: 8247d060a6cae65b2d63fd6bd3bf19ed9e66214c (patch)
tree: b76329f5b7cc145d2f7bf5d8fd584790e18875f9 /secrets/secrets.nix
parent: flake.lock: Update (diff)
download: infra-8247d060a6cae65b2d63fd6bd3bf19ed9e66214c.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 52f2311..3ef9cd2 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,6 +2,7 @@ let
   hosts = {
     vm-synology = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKZAKlqOU6bSuMaaZAsYJdZnmNASWuIbbrrOjB6yGb8 root@vm-synology";
     mba = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c root@mba-m2";
+    do = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID6qsTQwvo6lUACTZKb4T+Je89bW3/BY4DB4aCTqfApz";
   };
   users = {
     fcuny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdyJepi/NyO6d9eP8m48Ga/gdjB5ENHRXYM1ZqFZR8t";
@@ -41,4 +42,13 @@ in
     hosts.vm-synology
     hosts.mba
   ];
+  # this is the SSH key for the digital ocean droplet
+  # the public key is ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID6qsTQwvo6lUACTZKb4T+Je89bW3/BY4DB4aCTqfApz
+  "do/host-ed25519-key.age".publicKeys = [
+    users.fcuny
+  ];
+  "do/wireguard.age".publicKeys = [
+    users.fcuny
+    hosts.do
+  ];
 }
author	Franck Cuny <franck@fcuny.net>	2025-08-10 13:56:28 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-08-10 13:56:28 -0700
commit	8247d060a6cae65b2d63fd6bd3bf19ed9e66214c (patch)
tree	b76329f5b7cc145d2f7bf5d8fd584790e18875f9 /secrets/secrets.nix
parent	flake.lock: Update (diff)
download	infra-8247d060a6cae65b2d63fd6bd3bf19ed9e66214c.tar.gz