From 5bfa1b976dcff193d2a31e3f4df92c49637e8fe2 Mon Sep 17 00:00:00 2001
From: Andrew Kvalheim <andrew@kvalhe.im>
Date: Wed, 9 Oct 2024 20:11:32 -0700
Subject: [PATCH] Avoid using APT to generate SSH host keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Techniques that leverage the openssh-server package’s postinst script
risk two conflicts:

  - When ssh.service has been started by APT, attempting to trigger the
    postinst script by starting another instance of APT deadlocks.

  - When ssh.service has been started manually, the postinst script in
    the unit dependency causes the proximal activation to be canceled.

To avoid these complications, invoke ssh-keygen directly. The -A option
does exactly what we need:

> Generate host keys of all default key types (rsa, ecdsa, and ed25519)
> if they do not already exist.
---
 build.sh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/build.sh b/build.sh
index 2918db5..e21f993 100755
--- a/build.sh
+++ b/build.sh
@@ -53,14 +53,13 @@ EOF
 # Generate SSH keys on first boot
 cat > $mnt/etc/systemd/system/ssh-hostkey-generate.service <<EOF
 [Unit]
-Description=Properly configure OpenSSH keys on first container boot
+Description=Generate OpenSSH host keys before first use
 Before=ssh.service
 ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
 
 [Service]
 Type=oneshot
-Environment=DEBIAN_FRONTEND=noninteractive
-ExecStart=apt-get install --reinstall -qq -y openssh-server
+ExecStart=ssh-keygen -A
 
 [Install]
 WantedBy=ssh.service