Write ssh-host-keys directly to the kickstart to deploy trusted server. Kickstart directory security can be somehow enhanced in the future e.g. by adding base64 hash to the directorypath.

mhakala · mhakala · commit a1075a86f116 · 2023-08-16T16:21:22.000+03:00
diff --git a/templates/kickstart.cfg b/templates/kickstart.cfg
@@ -158,6 +158,21 @@ bind-utils
 {% endif %}
 /usr/bin/chmod 600 /root/.ssh/authorized_keys
 
+# put ssh-host keys directly to kickstart
+cat <<EOF > /etc/ssh/ssh_host_ed25519_key.new
+{% include 'files/nodes/'~ item ~ '/ssh/ssh_host_ed25519_key' %}
+
+EOF
+
+echo "{% include 'files/nodes/'~ item ~ '/ssh/ssh_host_ed25519_key.pub' %}" > /etc/ssh/ssh_host_ed25519_key.pub.new
+
+if [ -s /etc/ssh/ssh_host_ed25519_key.new ]; then
+  mv /etc/ssh/ssh_host_ed25519_key.new /etc/ssh/ssh_host_ed25519_key
+  chmod 600 /etc/ssh/ssh_host_ed25519_key
+  mv /etc/ssh/ssh_host_ed25519_key.pub.new /etc/ssh/ssh_host_ed25519_key.pub
+  chmod 600 /etc/ssh/ssh_host_ed25519_key.pub
+fi
+
 #/usr/bin/systemctl stop NetworkManager.service
 #/usr/bin/systemctl disable NetworkManager.service
 
