I'm curious about SSH key rotation. Imagine the following VPS setup:

const tlsServerKey = new tls.PrivateKey('TlsServerKey', { algorithm: 'ED25519' })
const sshKey = new hcloud.SshKey('SshKey', { publicKey: tlsServerKey.publicKeyOpenssh })

const server = new hcloud.Server('Server', {
	image: 'debian-12',
	serverType: 'cax21',
	location: 'fsn1',
	sshKeys: [sshKey.id],
})

Let's ignore that I'm generating a key rather than supplying my own for this example. If I were to rotate the key somehow I would assume that a completely new server is going to be provisioned with the previous one being removed. Technically not a big issue however I have a ton of steps on top of it to bootstrap the system. Is it even worth to investigate a proper rotation on the same machine?

The

sshKeys

property is marked as replacing, so changing them will trigger the recreation of the server. The hetzner docs mention that you cannot update the ssh keys:

Once the server is created, you can not update the list of SSH Keys.

Alternatively, you could add the new SSH key directly on the VM itself instead of going through the Hetzner Cloud APIs: https://community.hetzner.com/tutorials/add-ssh-key-to-your-hetzner-cloud#step-5---add-an-ssh-key-to-an-already-created-server

Yeah, I've read about Packer and will be looking into it. Not really to use it long-term, just to learn about it. At least it's unlikely that rotating SSH keys is required all too often, it was something that came to my mind the other day.