chg: add external data source to extract age keys via SSH

Each NixOS droplet's SSH host ed25519 key gets converted to an
age public key using ssh-to-age over SSH, enabling sops-nix
secret management per host.

Author: shackra

IaC/.terraform.lock.hcl

@@ -0,0 +1,27 @@
+locals {
+  droplets = {
+    website = digitalocean_droplet.website.ipv4_address
+    vpn     = digitalocean_droplet.vpn.ipv4_address
+    znc     = digitalocean_droplet.znc.ipv4_address
+  }
+}
+
+data "external" "age_key" {
+  for_each = local.droplets
+
+  program = [
+    "bash", "-c",
+    <<-EOT
+      key=$(ssh -o StrictHostKeyChecking=accept-new -o ConnectTimeout=10 root@${each.value} \
+        "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'" 2>/dev/null)
+      echo "{\"age_key\": \"$key\"}"
+    EOT
+  ]
+}
+
+output "age_keys" {
+  description = "Age public keys derived from each droplet's SSH host key"
+  value = {
+    for name, _ in local.droplets : name => data.external.age_key[name].result.age_key
+  }
+}

IaC/age_keys.tf

@@ -1,7 +1,11 @@
 terraform {
   required_providers {
     digitalocean = {
-      source = "digitalocean/digitalocean"
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.0"
+    }
+    external = {
+      source  = "hashicorp/external"
       version = "~> 2.0"
     }
   }