fix(git-server): persist SSH host keys across pod restarts

SSH host keys are now stored in persistent NFS storage instead of ephemeral emptyDir. Keys are only generated once on first deployment, preventing known_hosts updates on every pod restart. Co-authored-by: Cursor <cursoragent@cursor.com>
author: Paul Buetow <paul@buetow.org> 2026-02-07 23:00:26 +0200
committer: Paul Buetow <paul@buetow.org> 2026-02-07 23:00:26 +0200
commit: 10a7dd4fc3ddc7a755594b53232a929de403f988 (patch)
tree: 75c4a070187aa51b10de5e7ed19ffea1a60169e0 /f3s/git-server
parent: 404f7b9309b9206459681c5b56a57bc1aeb47c5c (diff)
1 files changed, 17 insertions, 12 deletions
diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index 1ed7486..51f45c8 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -26,13 +26,18 @@ spec:
         - |
           # Install openssh for key generation
           apk add --no-cache openssh
-          # Setup SSH host keys directory and generate keys
-          mkdir -p /ssh-init
-          ssh-keygen -A -f /ssh-init/..
-          mv /ssh-init/../etc/ssh/ssh_host_* /ssh-init/
-          chown -R 1001:33 /ssh-init
-          chmod 600 /ssh-init/ssh_host_*_key
-          chmod 644 /ssh-init/ssh_host_*_key.pub
+          # Setup SSH host keys - only generate if they don't exist (persist across restarts)
+          mkdir -p /ssh-persistent
+          if [ ! -f /ssh-persistent/ssh_host_ed25519_key ]; then
+            echo "Generating new SSH host keys (first time setup)..."
+            ssh-keygen -A -f /ssh-persistent/..
+            mv /ssh-persistent/../etc/ssh/ssh_host_* /ssh-persistent/
+            chown -R 1001:33 /ssh-persistent
+            chmod 600 /ssh-persistent/ssh_host_*_key
+            chmod 644 /ssh-persistent/ssh_host_*_key.pub
+          else
+            echo "SSH host keys already exist, reusing them."
+          fi
           # Setup authorized_keys with correct ownership
           # The /ssh-git mount point IS the .ssh directory
           # UID 1001 and GID 33 match the NFS file ownership
@@ -41,8 +46,9 @@ spec:
           chmod 755 /ssh-git
           chmod 644 /ssh-git/authorized_keys
         volumeMounts:
-        - name: ssh-host-keys
-          mountPath: /ssh-init
+        - name: repos
+          mountPath: /ssh-persistent
+          subPath: ssh-keys
         - name: git-ssh-keys
           mountPath: /ssh-keys-secret
           readOnly: true
@@ -80,8 +86,9 @@ spec:
           subPath: repos
         - name: git-ssh-writable
           mountPath: /home/git/.ssh
-        - name: ssh-host-keys
+        - name: repos
           mountPath: /etc/ssh
+          subPath: ssh-keys
         securityContext:
           runAsUser: 1001
           runAsGroup: 33
@@ -196,7 +203,5 @@ spec:
       - name: cgit-config
         configMap:
           name: cgit-config
-      - name: ssh-host-keys
-        emptyDir: {}
       - name: cgit-runtime
         emptyDir: {}
author	Paul Buetow <paul@buetow.org>	2026-02-07 23:00:26 +0200
committer	Paul Buetow <paul@buetow.org>	2026-02-07 23:00:26 +0200
commit	10a7dd4fc3ddc7a755594b53232a929de403f988 (patch)
tree	75c4a070187aa51b10de5e7ed19ffea1a60169e0 /f3s/git-server
parent	404f7b9309b9206459681c5b56a57bc1aeb47c5c (diff)