From 7e9185918015efe9dfd3f2cd9dc74c5a9e36a22d Mon Sep 17 00:00:00 2001
From: macmpi <spam@ipik.org>
Date: Sat, 13 May 2023 08:30:34 +0200
Subject: [PATCH] trigger new keys generation if supplied key file is empty

---
 README.md                          |  16 +++++++---------
 headless.apkovl.tar.gz             | Bin 4923 -> 5059 bytes
 overlay/etc/local.d/headless.start |  27 ++++++++++++++++++---------
 3 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 23476e0..ff87050 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # Deploy Alpine Linux on a headless system
 
 [Alpine Linux documentation](https://docs.alpinelinux.org/user-handbook/0.1a/Installing/setup_alpine.html) assumes **initial setup** is carried-out on a system with a keyboard & display to interract with.\
-However, there are many cases where one might want to deploy a headless system, only available through a network connection (ethernet, wifi or as USB ethernet gadget).
+However, in many cases one might want to deploy a headless system that is only available through a network connection (ethernet, wifi or as USB ethernet gadget).
 
 This repo provides an **overlay file** to initially boot such headless system (leveraging Alpine distro's `initramfs` feature): it starts a basic ssh server to log-into from another Computer, in order to then perform actual system setup.
 
@@ -11,25 +11,23 @@ Please follow [Alpine Linux Wiki](https://wiki.alpinelinux.org/wiki/Installation
 Tools provided here can be used on any plaform for any install modes (diskless, data disk, system disk).
 
 Just add [**headless.apkovl.tar.gz**](https://github.com/macmpi/alpine-linux-headless-bootstrap/raw/main/headless.apkovl.tar.gz)[^1] overlay file at the root of Alpine Linux boot media (or onto any custom side-media) and boot-up the system.\
-With default network interface definitions (and SSID/pass file if using wifi), system can then be accessed under `ssh` with: \
-`ssh root@<IP>`\
+With default network interface definitions (and SSID/pass file if using wifi), system can then be remotely accessed with: `ssh root@<IP>`\
 (system IP address may be determined with any IP scanning tools such as `nmap`).
 
 As with Alpine Linux initial bring-up, `root` account has no password initially (change that during setup!).\
-From there, system install can be performed as usual with `setup-alpine` for instance (check [wiki](https://wiki.alpinelinux.org/wiki/Alpine_setup_scripts#setup-alpine) for details).
+From there, actual system install can be performed as usual with `setup-alpine` for instance (check [wiki](https://wiki.alpinelinux.org/wiki/Alpine_setup_scripts#setup-alpine) for details).
 
 
-Add-on files may be added next to `headless.apkovl.tar.gz` to customise boostrapping configuration (sample files are provided):
+Extra files may be added next to `headless.apkovl.tar.gz` to customise boostrapping configuration (check sample files):
 - `wpa_supplicant.conf`[^2] (*mandatory for wifi usecase*): define wifi SSID & password.
 - `interfaces`[^2] (*optional*): define network interfaces at will, if defaults DCHP-based are not suitable.
-- `ssh_host_*_key*` (*optional*): provide custom ssh keys to be injected (may be stored), instead of using bundled ones[^1] (not stored).
+- `ssh_host_*_key*` (*optional*): provide custom ssh keys to be injected (may be stored), instead of using bundled ones[^1] (not stored). Providing an empty key file will trigger new keys generation (ssh server may take longer to start).
 - `unattended.sh`[^2] (*optional*): create custom automated deployment script to further tune & extend actual setup (backgrounded).
 
 
 **Goody:** seamless USB bootstrapping for PiZero devices (or similar supporting USB ethernet gadget networking):\
-Just add `dtoverlay=dwc2` in `usercfg.txt` (or `config.txt`), and plug-in USB cable to Computer port.\
-With Computer set-up to share networking with USB interface as 10.42.0.1 gateway, one can log into device from Computer with:\
-`ssh root@10.42.0.2`
+Just add `dtoverlay=dwc2` in `usercfg.txt` (or `config.txt`), and plug USB cable into Computer port.\
+With Computer set-up to share networking with USB interface as 10.42.0.1 gateway, one can log into device from Computer with: `ssh root@10.42.0.2`
 
 Main execution steps are logged in `/var/log/messages`.
 
diff --git a/headless.apkovl.tar.gz b/headless.apkovl.tar.gz
index 802c8a823e0bb149568c55d08124d8a270b3dfe3..8d78f9fb8cb746f5136b2362b172d6e36312b075 100644
GIT binary patch
delta 3800
zcmV;}4kz)uCc`IxABzY80000000Zng`O~A;k^a^E6?i<^#3tXzeP|uKf)JM^5CU{S
zHs#_5af(ym_5Z#|GvkaWwx@P?JiDoyu97&qdEKw?2QO$n__N;`kQr!_d>m(Z_xLzR
z35>!}6sIWcGXzC&9QzC;e{aF=&^4`7gWzX%S+>7L_dfi8zbFK={h$3Hbh@nl-ks<8
zeG}Au;swoz<8e1IMG*fD`x6w6e+D8SPJ~~FPxgnKCjMP>z$5<Y_r*U>;5d$A2sPUu
zMKSVI{C^C1WB>X0eOxx}_jTiZp9bS|)wv&v$9v)*MQG|B`;+&>r}+N}Fx&lUHaW=7
zu*B8L;n2~4!}$B<irurz`|W7IS{mB&nnlPqB5?V<B@-WCg`?09ZH}i`qu{NjjBKSi
z>CFC!TnL?n_Q%YMVk5G&)CkRWXK;$0UObvxETtpN`Rj!eyMnxncI!CR(_3M1iSBh6
zhjp+*dCdwsO0>GTUFhwpy&e0GIyB>vK?lO$>T<V#VcGRX_C{kbop&5Z(|%vq;)&zW
zo8wyR5#+MF?6A#_8#c_XGpo43PQ+fH5Fv)dEqPhRdT<pnvy}^BjV3X2$$5A!UCE{A
zH)<bsFpo#w#zke!*zMgNy1B@^a~*7YcH>_Q0uGk?y6-8e;ZiuxlhWTDuVPrG-O^Ci
z-C?1BOVTl7AdEzlqo<aa+8MiJ)<RNVq0MUT@ngb|z2D-~!r{$HcOCPHFHMmP3Q-xR
z!wDaQ%yqHJ*eDZi2Z7)FX6ee=sfmuE0EJqM>?m}(Mm)i!_sgBTAa6R~^UT^?=X6{K
z`wi5P*P8%koO=r*d6RJDidnDR+_;?5D;(l~UZ0;B#Jbp8eM=GKW|u=|ZPH`h;V$1Y
zlDplGm&U}KZ^66&|JBK=qzInk!11%7X@LK0@BIY-TllB^ANUwaqKkVC_)t6^`Tw8u
z{!jIv!tr<VKS5#0r~Lmh;OP!aUX)dEr}3&`NT8<6N7m%Q4R1ZLfQv6Pw|LZs+CHaV
zt$%sc2X-lvy_+BIr@WglI(yH)fqUIxmEr#1P97Gu_6gXJs(HBW?nK;jPp;x#oER3j
zw4;QfjLunp-%ONMv-Rrc>b?T)%Lwv<`xxs)F)B5<@K+N!M{ke%KOK`<17Ux+-vSTS
z^6Ki>)&5cJ|6B3@p?bjgt^ek5f4Bc5P~ubke+;<yf3Hpc=mEJ`Jz!?9WK=bI@_tVi
ze%bkd$@f3?3IAH~YwN!c$>TlspF~LP-TF@;^r!g$81OsR|7G^5|Nf&=dj+7z57aO}
zd?&Pcb~s!Hr?OOz*r}s1LRNp_4>%LM%+_wnO<LVV)=;?{Vbv*(`ZB}^VG0QLNtO?#
zxFY!i8QnCxh_;OHhJLT3;ZV$LP5E>)R^=+OY~EIEBr4PMwvF1lpLWHTg)<$RLcp`2
z5v{$WOLy5;$wJlJNd{tUlZfT4QBu-$iB3_}LAXm%w=9Z<F*8hhp~`<#Ikm|pYPeo;
zft0fBMb`1Ww^&+XoIut<9M0FcO=)9&GkmM`Wir-Ao$B^y$z8d`w!f*wHpv%;nqE?I
zYK?LPRvCpS^}rQQ1!;J6FkBjnX|~b`ySz$9=EMbMZ==J-G&Aj>-%v}_+RnGK^U9Ga
ztf@2G4P$`3`Yt=3mr8#bD>d%=419`t2039V>JNuoR8+T%qM$;{6x9h^G)Qt$AnaTe
zE`FfIaeb_1;d}$aVxs+3*X|8pS{@*THFG%d4*K?{ac9o%2uDh}zTP>F9#;FDIhPz)
zM%^Cf_86I#Xtn9_1rBV<tXD-DGbzSaRpsO;>l0TAmfK>tZMZ4K#*ry$enH>cr9{;Z
z10<QKqQyUd7XjRzO<b~yAT#3iwAy#8ix<x;v)=_B1Oeld{Ry6b8|=AiD4es?yVTK(
zEFr5Jb~8dC#b|+wQ+Z;}7Z?X39i4=6!7nZ;pI@!uOuPGr#IMT$Qei5u`b9Nyd`t$e
ze+;Y2vS$wsrqph9C5ji(O<GrlrT~%;PgOEFQ)L#?ezhsBYuS)P!?0#C4U9=P-ipd~
zsJWo}zToqeWif1jsEHGopJeuQU7c;_A_LVLU(0NCmgxh<)bLuLI~rp_o5yRjp%z%{
zNFlwfbj#`aXwfu^zttG^JZ2dqk*;3NjS(dra9}_3>wQ6m_!_=<TT6X(u?4ahg~k)J
z&Nk4}J_)HS9w%@3|MNQH6MSU2um7^rbFyducl!qX`2PEU-u)j0MpGC?(e(ZMFGVAt
zzW;s<c-#JOUe`R|Rq_ER``h+M5dtCpVSnVY|AV}L|Npf9|NY_1FJLz*;3fuuFF~%X
z#yW}O7Q_$?1E1~({Lf(SczKn~ctcyApSFn?6ix6X`$5qrVG`8;4l1$<07qUo<emEM
z3*?!4aUV{95B#JKycTR)zwBDjDSR-f>#}aZwgkPhXv!=Aod&GE=Z6o1ei<}iQMO=K
zMl<=?#z_$Y!7cDW^gGxOdic##*mwVi0>Dfb1vU88wBXAhkT1Xd8vYS{!9HF-g4?9%
zZr~fA2Jd^DnznW-uz&elQqUb=&utbrPiJ94xXmkn_<1Iq6;k$D<+Sm)FaHFF$t*gY
z&+~D>r`);uLDk0Ktf6+S0?-Ga?u6hUzlNW`{^NX6cQgN|@-;dHp9&`rz^|X3DxC*?
zo*nKvn!u;Wyk@Qs><>SJ|M3m@pAUh-ClvhZu0bitDzKjQR_6CPgk=p5mGgbmRaKUF
zPVq{Ar%e-s_gz~-4b<M#>-}5voxrb)2z&(dJlJf$pzSJ94ceisQ!pvopq^JtK?5Wq
z_&4w=1Yf-T;q|0{gn!QGdDeUQ0{r_oU>gSo@cAz){xo~T%=XSCEW25-FJ1tj&vOPH
z-+xDL;Pa%I1<SHoofLw+pEG<<R6oc35+M+OWKHmX@$N46lZasg+%@n8_?Acn@iUSB
zp{v)D6t9%{7UGR&zPz&lU+<`UOUdBO;?B0I0`DF*{@we2LeCyHJ9Sw++;lcsSv%3M
z%|k8U9`^CzD=h^6pFy`vGJg)5Uy$JW`FXa--G}Btn(u=z|CBW#+>8zEWlq!FC-oJ7
z@VQ?CpMUN-O)#^Z3IFhizadYHzkmJX{KSlyMf&P~xRbQtU;gsM?*#C>?|w}yuSlJ4
zj`x@IV6QHd$BbXTk|MYVds(@TmjbWQ^N6obzWL_A+PSjcwv8a%SMgVDl)yP!DH0`1
z2?0MiiP8o+VB~lx(85@eD~Sz7GCZVz2<VURH@mz=`e+rQfVqHRc@NHTX7-zJmbB@o
zh*k%eXst}YUfR~-ZX!-@i5tcp`;(oVuwy6~hx3D*17RQ8rW#{t*slTM&2Z2k>-|Ar
zf2xo3(It<>mhZCBVL{P-&6Hxeoab!R7L`*7^Au(w$vo>%rhQ%4>C-$spiixTQAEg1
z3S3vn%`D87$GTra+6D{Hal9>kbN6u1=xU^CljV}@RGwvZ(_5maC8Va7eqp`Wl@V<j
z2%q)7u`Y#GBXm&c+&<U}P+!Rj3h@i$iAX!o26;M&#M%ei1Up7mUt;q|#C9kN+wLzw
zE#?Cra0Tlzt=kF~106!-B*2Y-3#(WRpyK(F?YZ39F+cD&wuRoWVkc8Q-*~pgmckVQ
zr%8+_N<zL&V0<H3WW!=<w(xv#4CG+bS4K%5QCXLC|Ms%Bv+sesWGko-oR-G-I@C<9
zW&>3&sddg{f_3Z;srY+<k!KM_L8x^uM6kA_+1ihG7m0yFwxd0#Mn1xSi0{aTs`CYR
zVSpmVcsiF|n%X+|Su%qlT`TXQ{WVbS_B=<+MJ0~Q-7lTR1Hsnb1_RLg<N13j8Lp<}
zwqsk*eHgL1kO@jyxXjijipG50FLz-lmiWg3Mj(t_u|-ltgl}!+Rk9?lP69z7oZilU
z|8@4^^3&(@4=-nDU1@rM%MSV65%d%iGtXeVuD0Hk{G%RKKA|a3O2+Bay}fb&BG#D(
zBs0PBy|uc*M{pp5cP&|Nb|;UC05md^?!L%Wmptp6D`9?>3{6l#khIh~w$z7q2~1&R
zx6jBrQYi?RYy_-mk#NmaK!I)!D}3@{MJq5*CHilc;!Z!+uM@0)8x4rjiW@)^nkW?P
zQ_`P6gYH3*3&p-V=4$O(j7U_2OnS4VNruAh%w}Z)fcGmHo?4n>647F5-bDcKBbe1C
zZnEn;zd_Zv@L(~v>Ryq#Zff#0T~iq=Pfia?7Vl=76hNxP<q5@dB7Z^drBFkxAijM_
z>Y0w<ZtT-AeMOCbh59LtX;{Mt!2+iY72t{}f~mr0lqp@alUIrLhJQ&Dalu~fD<fC-
zYYCzoY@RNu;`F{@WKCfSC(9C9N43a6)c1ngysBk8qK-4AV_7E8dJxz#aJJ`o+=4#K
zOJoEQB*dmL2{~{s_9vLIkVSikv`uPWMbz`v^~W)q1c$wUGA(v_6bTpEwjZtv1zMrL
znx39swM2To)Q8pkoov7UW+zR1xMq212DT4Q!DAOtDf0_7WyJfJfh@%cE!oAJSL}}m
z_taKzh_+Y2QFf2!$YiF_=I8It@hc1M#?d={vRw(+A0p#sfB!Sqr=#h3GQhl{KAKM2
z^WS5%E8yyXU^3+UUz6tdKS#q+!T%%q{`YBn{(F@6Uk`onQ@KWUgeMQ7ydYv<KE3G8
zD2nK4Vacr}ejvmIRekb!i<rxWO{Y+{tg{tS4_Oj?G;m2r5NCoLld+*M4DrkuJ~y6^
znIu(mY%wt=Q^OR-d}NpdL-0Ed<NvzVaGHb5xE20?>*ybjhNr_8|BunG;j{;laV`Gq
z)7<|<_5T03egFR`?SFv(xP%jWED+yfJ3xVIMczgP4&R+wTT^Ftn2U%}5Sxo-Kl&cg
zkz-O+;x|pBxmpsscbn4Rs>#Fo*mcB4IN=X^1LS7!e-!`!gFb5U|2VDe|Ku#<z;SSU
z|Br|}F0}qXLaX<`Jc2ry48{MZH}}6j7>q|hF<l;q*{&Udl^j;3yxnpCx2<h$Yg^my
OX8Q*Uw)^)0PyhfDys}3C

delta 3663
zcmV-V4zTgVC%YzpABzY80000000ZngX|tnNcK+J@3f%6=jLp2qz9=5Mf)JY|5CXKo
zWU7lD#41*S<NqF{?sn`Rd%BXeJDI9JRqtKIIoxyZ+3$s*_24glXFz74N%Aqy@c#I?
zMhT3<P!y*q><a`%a2)#rB!6$g?$9-@Q-k0aby>Fmi0(sw_<vFeX8S+;LFjZ@``Vq?
z___(|KJkL)<MFr~m?DV(hW!bO#=iiOk0-)!!)N=$O%wmFIp7ih^oQafCvY4`F@&1!
zkD?g)IsQKdytDuO_c|_{_I2GjuhU?Bt~&Q)@%TXeqX<pCXMgfOe2)K50JGhnW|M>L
z3`<;{91b0SJ&eEqT(Nt0dA}X)S4%@%Ub6_<Mg%UOw`Ahut8f(hq0RC1Y81S+l##6z
zC!N_Jkqe=d(EgZNQEWt(mKveC?hH<`(~C!Qi=}jgIe)!SVpouN(QX~5dU`7iF44UX
z<FF1^D6d&TM~PM!w+p>JwYOv6QHN$cGU!0~TV3vdHY~fo$lhq|rSp#CXxi`VT0C+5
zd2?KAJ%U_zmmRj*al?kWb!HV8*ooNd6C%WrxFs*ESP!luX0~!6tkEP!E;$dcr7OAg
z{6_7g4(9Qw+qkHV8N0o^LpK+Bcdmm?&u;u{LBPRMU-vyFHCzhEc~bhD<5di+v|Adg
zx;rd?bV)i!41|$ra`e>lQafXJ%vwmwE3{dyJ$_91vG-eiS~$Ep>8@iQ@uewpK_M!`
zbU5K-khv~485?Dy?I7@b-z;4@J2lZU6rfORksXCD*N7*W^nST>7vxRnd!AW)>zt0u
zV84MH@_G}XjB{^6BySRqTrumFn;Vx?dWA!O-0SlbgIE_^t8XcS-0X75tWA21JKW`4
zMsl~?@zR)h^Bs8i|9^9`Dk*}eIB@(dXd2-E+Iv64{}%o({|7!slIY@I13ngyNB;l&
zy#G`Er*Qne{7+CA@;U#13V6E1k{4wa+-baO7!s)I@{u)paKl><Ea2kH%q<?Zp|;Oo
zY3pAe^?_ZAWbfvO`z7z@i_YG&@8DiHSY^2XZzm6nTKfd-N7X#sc6TCfxhGd~FHQ`L
zTiQ{=P)6r0zi%eWs@ZyVb9G;V_GJWl!F`T(q8ODLT==UAoTH!5`ahkMSOZ~yci#aI
z)$;1<x7Geh?EjDA|6}!lAKL%T;r@RAN1(*#`2Q4e@BiMK{Luq)Z+gJYUdgCx^5p%V
zEd09j|C;ZA?i2pG;J5aFACt!i>OYB)*!%ULK<Ll$|0&>itpCgGQUCo%rS=LyjUT9C
ze)vvk@$7K83{GXK9I;bJVT7!I!XI!ZcA2f+lAE-;iL9Y=H^Qn@8uev}55g1>?2{}X
zN^wQ<1v0v6bP;VC-wpj<N5i3*_nPwQW~|CpV%fZ{*ho~S=WQFcbwBNjEemHlG=+d?
zK_gmwN0;uht&)YRx04LS*d`InS)-(+=@OlysDp5qqHb9f3u9)O^g@+?r*dkOOVn_^
z;sPmU*^8{>d2g|_!Z?AffjFG6ahuY{`eyi6>C0rSjXKrs&yu@xiEV#ViEWZE3^l!^
z;?x@D2&^&+PwIgyoC?zL=wP@s6w_>_5q5c%jLeA(%HBqYi)m)sLBFAvrnQ}KW#^S6
zQ&>}Hwj0I(dG%d(JTH}hGFEEb^%?jS^9*vrQq&&~x2ULY7ezsZmMN+ewrG&#qCnWW
zC|vwNiR1cM%fk5vgvCVrtFGM}zO+0*2y5nW;2resP2<j--4TwIa(%sX8a=G`Idd*K
zu8g`p%<VBUEzxSz;|m<vl3A~cGG<bYt*Xk&QPwA}5-hjHZrgAviH##u()@zHw@Znt
z9R^4;QALY?c@_cOolRV_iXb!M^|ab|tBV)UJG0&e9RvaMll%#ue+l+nH5AU->0RpR
zMV63N4Z9g3kYcnz#i=|o=L?Jjk&aHnxZoF;l+UkLaHidTL*mzE0I4vQSN)=zI6fu=
z*FT0;W!bZb22*M`x)Q~U=q9bJLQ??Aho>qToT)MkX}{W(*0pTNp<!6Fm<Glq8*fGB
zI@DZHeP8f-%CZ<Xf7HZ@%TF?Ux~|SPbCH2+jjv@kI?MEdVrqD;&mE1ipv~j8*-#6t
zb)=A9R=VZ%e6(m9#oua-dLFZkkw{ms=EjH;4mhwM`Sre_LVOM1yRD@@y4V8Qi$ddx
zS!Ww)X`h7D6_1lQ{Qo(Q_za&I?)$&2^qlP3|J~jJKi>a-fAISc0;36x#IeWwUy39?
zzyJLd@N@gWJFa=YtK=gt_5=2(Nt%4m{sc*UKL7h9@YR>Fn-p*p1He}xS5{-4L~#pZ
z2!?@A_W}Pim^)rxB{Sa8R_CW};sr$$Jjs4gv`Lr*^}m9OYy!ZM*A026e)kf2re5Bs
z(*r-L1Fr>}f7UO%7IX?94C=b98?Y@wuPmA}3qYp<Yw!8tgP>mq4Oo;dn3d5?KDKdE
zL_ly0JP`dJ_JbaN_Z0U1zn}mxlSM%dJ~b`)>IdYjufBnQ1Yfd`!$)wN6x|Jc=hNW*
z+oq<ioeJz<y_FPn$G2;n#m&=MSP*XW3Vxo+W`&e}e^xnd{N1ZRfnhR>4(IcF9PlZ3
zZhla;F*s|e9jgHJ!KXVR_{VSH=WqTv|ERl}|5N!E9fD7VlLz28&rX%jlRnQ5_Z&^&
z(_>vT*9Z28AHjeB7W|Kgz~B=Ketp-V6l4`x&w4BK`x?Ts28YUd-E>uzC7x5f(P`7f
z;Qgzuf1n0x@9FLLTl1a3uZswL1oJ%EY`&oFDo_pDp{!FdDcYc(cS}J7Bq8`$@F@ge
zzWU+qqJM;c$>(|2d-xLk+qYmF2L<rrR~3Jny<uj1XA+j(EZCPXffw_dLC5#slN)%E
z6tiGiHmj3DkPmZ)?}_S{m|r6Vf~*NXEZ*J4e|{1%On|!vz65_J5<&bzr2o>@TS<yH
zO8gn(oo2qevjE?IQTH<?gENae+olS<d(`-M@B0Zod)VyMW$|#+*<@wyM8CBTwfy<C
zj|bmqA@KhUx?Pg_bI|;X1kcaUvpw!UGzZdrAAI$vtO4O>Y+x^Qn&!T!uYnhS3A}jW
ze>qJsvz!V4@Q1%5Pm8~O^W*%)jF?6G`aaxATJSG_dE$2h`2F|4rIk0NPB+K<t9i0F
zKa<CbU%incxCeV#xsI0tZ_x9MZ!W(5_C5yff3|OJJ!%_KxUcwEOi8s((&B*4LSktj
za;s9ckx;6<wOS4KV5T)5#}^3yKHr%!f7pQ8i%QT&@sZH7b3JqBobP-yHuICu7|i{o
zdA3!=<8nG35_j}F_7A(bVCPV<$fhSZ2i!iFzNupn#A`};Gw9nx$L`zCGiO-UhCCN5
zzTVajYKk6eW)#D4Dq5Nl)lCTV3}zw8Jhw+<+i@KF9Ix)vr_m@P<32fVEOamne}Ar6
z_hUw3FjG;aR`e}Cz&)>Pk*3EiSB|syEUUX&5<M*;HLcAT*86R*#tKuBu-+%uCAT^X
z9ppOqceWbT@8tx8__g|SN?B!tDjnovkpOMdHKS8sY4gX#b|?wU_*bA7O8^fTA$UUl
zR)Q5khYUFha1+BS0RyP0B$q1Yf6<yHsanbarT>YwPW61LWWYiZi<DC%2CHkJ)7gtJ
z1<NJOwMi8!0l`25_7h`~^7&M7O^cUdW1+1;T(&)^41|{I4+>06t08*!hO{~_3&M1S
zhSvH$kVpl@PvB>riAWbRf4fNX^`x{;#?};Yrsf0I_a_<96u#myR$u2Af6u16$TD%$
zpiWI^tE2S_WX7kFpyzWi=9L~;_kP68U^*LEyWw{@BNldlieyz&m3v-!j^1aU3bs&7
zRA9{?UcT2e!%HYHuGvb(KV#E{&TS&VFe^#yjwP@bk6~q2?rsElfd|H7g?xzMSV^R0
z+6U@g`jCJpE|xpHW}aR?e<j;I-C4Aaxn%q=@z9NnG9Rp8EsWlev8!<Bh336m1)m&H
zf?bx<J)Co+%#9q$pwh;K#N4zJvlQyUXeLMB#Wy?eF!vv@Y<;awZ*kn#w0z)e8Bits
ztdmHJpo&3G2+xQ?fDprs3HtZ^NbtBwsG7cl+=IAp42Lx)$m}39f0+q(k>@Z#cHBpI
z#_UwblV)?iriK`>S0u)CdtR{v4@WGy>9UUz4N*u46^LkyP}_oicAG9(FKq;LU3WBD
zZ|b%wWLvUOL4hdkMT!T|C%gt4iL}h9wMGEnsW@!l!$JW9M{8RiwhTk8dN<z#An=>c
z2Sv>DT*QERJDb-|e+D&Tk2C*GUG%Q+l%e-wAv-+yu?wry><<myGe4CHk{K^ze{RqT
znld7sVXDsnghXue`y2N6Pjq6T5NIC#4FHM#NNo&e&tY%&%je_%t50}GYahau>Ymqp
zl{xe!&#k}z7&>EjJRJ4WZs54%QG5S)4!Hp}PBw>r|7UdkfBipq;MVrv)$jjaUbgpt
z=aBz<>Gy~jJCQ-9FCkQ#vyXqh>b)f|qN8QVgAjk<Vq(ksi9k#w-9kux&N8$tW2N&^
z#Wfv4uLSo-L(iFc;<-0?;k_6#%~*8ZY~+o`o-e$q>-l|8@P~k=-<~v3i<8fBFZ_2<
zK5z$@gBJhKe<8O}%ahD;EB-s<YX1l3{qOeq&w1nl;6H|lGR0EysgNnoi9xQGB8~X^
zDp>grlUX%Ifpe)p3+?=KPFGIl*$)3%7PYlX*L@Jo`r8nFIa|b$Sc)k7N^bz%?fHNG
z_y3OD;{SPMcmK;PffM_|{rBG`y3p?b8Kimt^-a*pG3GG*Z+!Rtcl!OI`vY_It(1&q
h4pwqnl`8qp_rH}^T4|+~R$BS~<O>TcL^=Ra007x@VuSzy

diff --git a/overlay/etc/local.d/headless.start b/overlay/etc/local.d/headless.start
index e7c783e..ba671c6 100755
--- a/overlay/etc/local.d/headless.start
+++ b/overlay/etc/local.d/headless.start
@@ -82,7 +82,7 @@ rc-service networking start
 
 
 ## Setup temporary SSH server (root login, no password)
-## we use some bundled or optionaly provided keys to avoid generation at boot and save time
+## we use some bundled or optionaly provided keys to avoid generation at startup and save time
 apk add openssh
 cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
 cp /etc/conf.d/sshd /etc/conf.d/sshd.orig
@@ -94,22 +94,30 @@ cat <<-EOF >> /etc/ssh/sshd_config
 	Banner /tmp/.trash/banner
 	EOF
 
-cat <<-EOF >> /etc/conf.d/sshd
-	sshd_disable_keygen=yes
-	EOF
-
-# banner file
+# Banner file
 cat <<-EOF > /tmp/.trash/banner
 
 	Alpine Linux headless bootstrap v$VERSION by macmpi
 
 	EOF
 
-# bundled temporary keys are moved in RAM /tmp so they won't be stored
+# Bundled temporary keys are moved in RAM /tmp so they won't be stored
 # within permanent config later (new ones will then be generated)
+KEYGEN_STANCE="sshd_disable_keygen=yes"
 mv /etc/ssh/ssh_host_*_key* /tmp/.trash/.
-# inject optional custom keys (those might be stored)
-if ! install -m600 "${ovlpath}"/ssh_host_*_key* /etc/ssh/; then
+
+# Inject optional custom keys (those might be stored)
+if install -m600 "${ovlpath}"/ssh_host_*_key* /etc/ssh/; then
+	# check for empty key within injected ones: generate new keys if found
+	if find /etc/ssh/ -maxdepth 1 -type f -name 'ssh_host_*_key*' -empty | grep -q .; then
+		rm /etc/ssh/ssh_host_*_key*
+		KEYGEN_STANCE=""
+		logger -st ${0##*/} "Will generate new SSH keys..."
+	else
+		chmod 644 /etc/ssh/ssh_host_*_key.pub
+		logger -st ${0##*/} "Using injected SSH keys..."
+	fi
+else
 	logger -st ${0##*/} "Using bundled ssh keys from RAM..."
 	cat <<-EOF >> /etc/ssh/sshd_config
 		HostKey /tmp/.trash/ssh_host_ed25519_key
@@ -117,6 +125,7 @@ if ! install -m600 "${ovlpath}"/ssh_host_*_key* /etc/ssh/; then
 		EOF
 fi
 
+echo "$KEYGEN_STANCE" >> /etc/conf.d/sshd
 rc-service sshd start
 
 ## Prep for final post-cleanup