From 10a7dd4fc3ddc7a755594b53232a929de403f988 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 7 Feb 2026 23:00:26 +0200
Subject: fix(git-server): persist SSH host keys across pod restarts

SSH host keys are now stored in persistent NFS storage instead of
ephemeral emptyDir. Keys are only generated once on first deployment,
preventing known_hosts updates on every pod restart.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .../helm-chart/templates/deployment.yaml           | 29 +++++++++++++---------
 1 file changed, 17 insertions(+), 12 deletions(-)

(limited to 'f3s/git-server')

diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index 1ed7486..51f45c8 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -26,13 +26,18 @@ spec:
         - |
           # Install openssh for key generation
           apk add --no-cache openssh
-          # Setup SSH host keys directory and generate keys
-          mkdir -p /ssh-init
-          ssh-keygen -A -f /ssh-init/..
-          mv /ssh-init/../etc/ssh/ssh_host_* /ssh-init/
-          chown -R 1001:33 /ssh-init
-          chmod 600 /ssh-init/ssh_host_*_key
-          chmod 644 /ssh-init/ssh_host_*_key.pub
+          # Setup SSH host keys - only generate if they don't exist (persist across restarts)
+          mkdir -p /ssh-persistent
+          if [ ! -f /ssh-persistent/ssh_host_ed25519_key ]; then
+            echo "Generating new SSH host keys (first time setup)..."
+            ssh-keygen -A -f /ssh-persistent/..
+            mv /ssh-persistent/../etc/ssh/ssh_host_* /ssh-persistent/
+            chown -R 1001:33 /ssh-persistent
+            chmod 600 /ssh-persistent/ssh_host_*_key
+            chmod 644 /ssh-persistent/ssh_host_*_key.pub
+          else
+            echo "SSH host keys already exist, reusing them."
+          fi
           # Setup authorized_keys with correct ownership
           # The /ssh-git mount point IS the .ssh directory
           # UID 1001 and GID 33 match the NFS file ownership
@@ -41,8 +46,9 @@ spec:
           chmod 755 /ssh-git
           chmod 644 /ssh-git/authorized_keys
         volumeMounts:
-        - name: ssh-host-keys
-          mountPath: /ssh-init
+        - name: repos
+          mountPath: /ssh-persistent
+          subPath: ssh-keys
         - name: git-ssh-keys
           mountPath: /ssh-keys-secret
           readOnly: true
@@ -80,8 +86,9 @@ spec:
           subPath: repos
         - name: git-ssh-writable
           mountPath: /home/git/.ssh
-        - name: ssh-host-keys
+        - name: repos
           mountPath: /etc/ssh
+          subPath: ssh-keys
         securityContext:
           runAsUser: 1001
           runAsGroup: 33
@@ -196,7 +203,5 @@ spec:
       - name: cgit-config
         configMap:
           name: cgit-config
-      - name: ssh-host-keys
-        emptyDir: {}
       - name: cgit-runtime
         emptyDir: {}
-- 
cgit v1.2.3