From ffbe2cb0a75c7f44d51cd74280dd6d597d6e7c8e Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 7 Feb 2026 23:09:49 +0200
Subject: fix(git-server): copy SSH keys from NFS to local emptyDir

OpenSSH refuses to load host keys from NFS for security reasons.
The solution is to store keys in persistent NFS (so they survive
restarts) but copy them to a local emptyDir at startup (so sshd
can read them).

This ensures:
- SSH host keys persist across pod restarts
- sshd can successfully load the keys from local storage
- Clients don't see "host key changed" warnings

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 f3s/git-server/helm-chart/templates/deployment.yaml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index 5d40fbb..3013364 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -45,6 +45,15 @@ spec:
             chown 1001:33 /ssh-persistent/sshd_config
             chmod 644 /ssh-persistent/sshd_config
           fi
+          # Copy SSH host keys from NFS to local emptyDir
+          # OpenSSH refuses to load keys from NFS for security reasons
+          echo "Copying SSH keys to local storage..."
+          cp -a /ssh-persistent/* /ssh-local/
+          chown -R 1001:33 /ssh-local
+          chmod 755 /ssh-local
+          chmod 600 /ssh-local/ssh_host_*_key
+          chmod 644 /ssh-local/ssh_host_*_key.pub
+          chmod 644 /ssh-local/sshd_config
           # Setup authorized_keys with correct ownership
           # The /ssh-git mount point IS the .ssh directory
           # UID 1001 and GID 33 match the NFS file ownership
@@ -56,6 +65,8 @@ spec:
         - name: repos
           mountPath: /ssh-persistent
           subPath: ssh-keys
+        - name: ssh-host-keys
+          mountPath: /ssh-local
         - name: git-ssh-keys
           mountPath: /ssh-keys-secret
           readOnly: true
@@ -96,9 +107,8 @@ spec:
           subPath: repos
         - name: git-ssh-writable
           mountPath: /home/git/.ssh
-        - name: repos
+        - name: ssh-host-keys
           mountPath: /etc/ssh
-          subPath: ssh-keys
         securityContext:
           runAsUser: 1001
           runAsGroup: 33
@@ -216,5 +226,7 @@ spec:
       - name: sshd-config
         configMap:
           name: git-server-sshd-config
+      - name: ssh-host-keys
+        emptyDir: {}
       - name: cgit-runtime
         emptyDir: {}
-- 
cgit v1.2.3