docs(git-server): update README with persistent SSH keys info

Co-authored-by: Cursor <cursoragent@cursor.com>
author: Paul Buetow <paul@buetow.org> 2026-02-07 23:11:41 +0200
committer: Paul Buetow <paul@buetow.org> 2026-02-07 23:11:41 +0200
commit: 190473b0dcb41ef49f1e4e3dd7a1e8fa4150181d (patch)
tree: a437eb664790d2e42db0dc64ad2a460a5b5338be /f3s/git-server
parent: ffbe2cb0a75c7f44d51cd74280dd6d597d6e7c8e (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/f3s/git-server/README.md b/f3s/git-server/README.md
index fe23bee..28050b8 100644
--- a/f3s/git-server/README.md
+++ b/f3s/git-server/README.md
@@ -7,6 +7,7 @@ A self-hosted git repository solution for the f3s k3s cluster, replacing externa
 - **SSH Git Server**: Alpine-based container with OpenSSH and git for repository access
 - **CGit Web UI**: Browse repositories at `http://cgit.f3s.buetow.org`
 - **Single Pod Design**: Both containers share storage via ReadWriteMany PVC
+- **Persistent SSH Host Keys**: Keys are stored in NFS and persist across pod restarts
 
 ## Architecture
 
@@ -249,10 +250,11 @@ To recover:
 ## Security Notes
 
 - SSH keys are restricted to git-shell only (no shell access)
-- git-server container runs as non-root user (UID 1000)
+- git-server container runs as non-root user (UID 1001)
 - cgit container has read-only access to repositories
-- All container capabilities dropped except NET_BIND_SERVICE for cgit
+- All container capabilities dropped for enhanced security
 - Secrets managed via Kubernetes Secrets, never committed to git
+- SSH host keys stored in NFS but copied to local emptyDir at startup (OpenSSH security requirement)
 
 ## Monitoring
author	Paul Buetow <paul@buetow.org>	2026-02-07 23:11:41 +0200
committer	Paul Buetow <paul@buetow.org>	2026-02-07 23:11:41 +0200
commit	190473b0dcb41ef49f1e4e3dd7a1e8fa4150181d (patch)
tree	a437eb664790d2e42db0dc64ad2a460a5b5338be /f3s/git-server
parent	ffbe2cb0a75c7f44d51cd74280dd6d597d6e7c8e (diff)