From 84da591fda29c8843bce2b5a396f7f7cac6b0292 Mon Sep 17 00:00:00 2001
From: macmpi <spam@ipik.org>
Date: Thu, 11 May 2023 17:53:42 +0200
Subject: [PATCH] allow to inject custom ssh keys

---
 README.md                          |   3 ++-
 headless.apkovl.tar.gz             | Bin 4713 -> 4796 bytes
 overlay/etc/local.d/headless.start |  20 ++++++++++++--------
 3 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 06756d0..b7873ee 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,7 @@ From there, system install can be fine-tuned as usual with `setup-alpine` for in
 Add-on files may be added next to `headless.apkovl.tar.gz` to customise setup (sample files are provided):
 - `wpa_supplicant.conf` (*mandatory for wifi usecase*): define wifi SSID & password.
 - `interfaces` (*optional*): define network interfaces at will, if defaults DCHP-based are not suitable.
+- `ssh_host_*_key*` (*optional*): provide custom ssh keys to be injected (can be stored), instead of bundled ones[^1] (not stored).
 - `unattended.sh` (*optional*): make custom automated deployment script to further tune & extend setup (backgrounded).
 
 *Note:* these files are linux text files: Windows/macOS users need to use text editors supporting linux text line-ending (such as [notepad++](https://notepad-plus-plus.org/), BBEdit or any other).
@@ -32,7 +33,7 @@ With Computer set-up to share networking with USB interface as 10.42.0.1 gateway
 
 Main execution steps are logged in `/var/log/messages`.
 
-[^1]: About bundled ssh keys: as this package is essentially intended to **quickly bootstrap** system in order to configure it, it purposely embeds [some ssh keys](https://github.com/macmpi/alpine-linux-headless-bootstrap/tree/main/overlay/etc/ssh) so that bootstrapping is as fast as possible. Those (temporary) keys are moved in /tmp, so they will **not be saved/reused** once permanent configuration is set (with or without ssh server voluntarily installed in permanent setup).
+[^1]: About bundled ssh keys: as this package is essentially intended to **quickly bootstrap** system in order to configure it, it purposely embeds [some ssh keys](https://github.com/macmpi/alpine-linux-headless-bootstrap/tree/main/overlay/etc/ssh) so that bootstrapping is as fast as possible. Those (temporary) keys are moved in RAM /tmp, so they will **not be saved/reused** once permanent configuration is set (with or without ssh server voluntarily installed in permanent setup).
 
 
 ## How to customize further ?
diff --git a/headless.apkovl.tar.gz b/headless.apkovl.tar.gz
index cbabc4249389d2a03cd31e9a3469a9b55b26105c..1f03f6d43cdb4bc17849e3f3a0533089b4f18e4a 100644
GIT binary patch
delta 4634
zcmV+#66NjbB)lbmABzY80000000Zn=d9#~Vme0T8Q;@`+?u34ieNm;88iW9$1tCB}
z(348B?~7OknSA#_vYmDkr#*|~nXdAwdJoV!-1EC<y%+FX7yjfACS)d>Bp=6_etmqL
zqXb4_D2h`Q_6dR_IF5Y+l7BR?J9SNK*C6;wU6$=XlY19`|6i2++5gX;AJ|>i{@~1W
z{GsvdK6d@){pq+nm?DV(hW`nQ#y<g(_Xpwk>7)PQriuR08t}+}`d#^t6F82e7(&hd
zM^TLYnExMwUi*Lk`yncu_J_K$e@OlDx$2zvrQ;p>k0LbnEB}-C!^iyp05tpkX?8it
z&a}kk$>z|1(Z%@t<%&JB%lpsaakbQx<uwbDT}a^4Wk<#yz6wU6AKDyGuUf&IO9|Pn
zqqx)iGm;Q02_4Uw8Ae)YDybIen@;2QR+_jpw^**vFz0O+`^XWbLwMLkshZvjjf+*c
z!#J#i_mtbLp!1rR7q^7o8SU-dchspF&kQ;c-cFT&x-H9Y63HF4<N9*oIGXnQx)u$N
zziiJNrALtDkQ}h>fg85Wt<$ThzzpK3PKXde;*LyKk?LPXOmC$^*r0KQBsmXn)>m@r
zdX3zN9n9llw{=hn(+)@HfNm4%aH;)m&u+bILBRe}-Sj=RZnzYV^0@T2=c^c0X}8p5
z`EXi)sO$APWFU-0<FhN5No|kaIcuSHUZKru<MLz7kG<F8)57NUNp)=fj4ySO^9yl5
zOeX^${mgN&N!#ux+VXv`_w>?{GNTF4fdB<ciySC)xj|e(r;p2nvmkFO-}B7I-Q;vs
z`o}HQkk^|4Wt?;KLungx<cis>oLozc^a=-mxZCFjgP4h>)VCBtZdN&D<~BV?9q#Zg
zvvzj7F==$X`4+s#|G(K;6&L<f<lA26Hx2NA9lamve@nlq|GtNjB)YiwfcK^2QU8Bi
z_kZsH6psI@{u302e60T;f}ZZQ<V8sa4+<}9+8R_;>CEapxaG|U7jW=p<`j?KP+OOO
zwDpole_)p)**p2^e#$%fqO*?dYr6Lhc0b(zx08#7tz`hmQPxkl!(E759?4bIixb1*
zrgC0mD5G+w*EbVo)@;4HIjXmZj%5hB{(X#1yw@t(Pxz}2T*5a;{htmB+(C1Bmo43W
zAcVK%R7-KE6o-UQ2iaX$3rIe+VK~KqZBKZFfUeSm$T-Td^1{U_a4t7~6JZcADOKEX
zjUu!HGLc-oB5%YUpRnHa4z9AMaT{!d%yveUnTFa}7kOfj-+l``Ov}rw-#7aQ@&7-|
z|M#^9eAoVOPWNB0{|J=$nExMw?(4r-E`O{6xtD9e%vwpPtn=jkH%WMV@V_m8_CKx@
z{<Y}$_J8kF$2<BziICW@`#*uuAM^i1&>z_Um)WELdyh`-7JwW*Si^ktUC`v&;gk$^
zWy&0JkVj#J%)%RRCUTga)sow^x{0hNb2q}QQyTRoi1&jO5G+HIPNlda`2rc8G)zQG
z!Vg1#RMB84=Dnt5+_Y7>icO1uxAqnimg!~JhHc$XhhoRVnF>t-;F{2g*6!J%yKJ}5
z0@*#RHALIRA<LQLdY`6CbPB@`!X1jbWnm<YnWobVS(?hJjgzq9`n?0BlxZ!pj_2LQ
z(hQ;)G6&*xxkhbDYnz+qnWZO@kus`Ocf72fl|$_Mn@sHDe4)u{l8RG*tCb_L$|yXp
z2d=OyNWsIC=Fm_?vz0<v<#nxPc2rQ-E<7c=o+&5whMJ1fcAlACR<=Z8O`Taz5CP=X
zbJ+2++?Ub5#vPA=jfiIu14~hFINidcx+VKPDzr>d8Q7vh;$#nDm!fd+6D5wDb1ey%
z8xRx|?X9}@sCnz<2|`$ZJ%@ewr0#ACcj2s#u-7Tq*9W^%gX)+wmy+Ykusg!s5hK$Q
zt+qYBz=0i^^|B~oI>lJByf^Iq#^5T!bXx4T3zpb8G9}F~==*XhmX*^0t#x#-M8A9%
z0o;R4T(WyXV#KSlI(DnXjpm)}26tsxGGGpKe68BLYRD(Y#uvAL<Y95qlxSU$OXD1K
z!gd)#DzI7Xb5fFSxh7A|4&l8Evq9zv5}H#;u|zJaqAq&Ub|Z|mxwC0zs>VSfPeFs@
zqB2(rTreOSsI+NwnJ%jcY5ABaSvKEC(`LhZE+Osu7K6IRG9}fmPALTI+Me3eW=ZVW
zdJ@S)E(VqpE!PTva5UD0+2{L%AW)@a9gx^P6~=b09Za1`{W=wH*nmMC&FDTyRQ)Nj
zBy!o%r|Ui>{g${gY=vEcAXyLspF?oz4_h4)?QMiqMrlF0MhMbeTXmFoJ!3V|PGM}$
z0~R0JdP^DxPWX0V4Et=*w-TUl7Z@HWXsIf)&{p!r753(ThH}kmC96)bq0VjZ$Wl2e
zZAOyV0zE`ce748snYoY*gdgep#20`%oRya4$sR8RUSsqj8*--;Ba*GDDX;kpb=vd-
z#fDdDmnuUlch*+6wR!=2BV;*~8p|ov1EQ|$LY{Ev@TwXj?KK)ccumu94>!es)Rg^P
zUmjt>8Xj(c5NWU`I_#8U%qkCT_jXy(Ed-3$jV&(hE#zCHICA*JS^TL#%a<uaMQycR
z3i2rShDotqsw8UT5pj}FA<2n}h?LPSEw7B+0CbMGxmdWj)#RhJF9iGzNse77o1TP@
zVY<XSmQt|hLc$j57nva2ROYx%K_03rO(9!;vZDxpI55g$9H(@@MJ_!e4Tx~q<+ZkD
z1r$X~rIjSU?U#FUHym7jtz35uF=EU$o|t4wNFJ1$M=zQH1}~%{KkrKBf?gfnPpnDF
zFC29`DKVELBXLZQ)-KVpVRu_!E>eMrin5R6zz~pIkS=1xKj9hx^Bv)^>!IE&`(Z!_
zoL?b-OY5u)l(KE{s~7LIRytREC4@bNI(GPu?4mx@E-Re(3OG7C+tAX0Tag+^=%CBk
zgkTv_#+|t9LRGK^MwLu4sjUU+qU&*ybknk0?`3JOX_v_oSuTQtixBr(LtOz;jwp*C
zR{XNrt@6|EGNO&;z{kOcgUL!JOG1}*NS}It<QV#9V9~411%vu5S*<Dv4+G7*2L;fh
zer}wr05vh1U-A-SYcV1btDEGGQ?b>t)LWAZVLO3)Q<Z?bj+}GG95^a^ilPJ&om@he
zffX%YAgrKDxSkkqw>Txx8pm8*E3uy6>!P;MR%dbDlc;&T_J~MOS9@JD3e#BEVu_D`
zrg4Z<57?Y62QqGsMq)H3SE6M5lv{RIxzZ0=+_k$X-{^6NEO+N9<cK_1kx=*3QV&(B
z%&o;DSu?E<unN-Wo@iDi0Xy`1aV=Tmyo4jYw?mepmfnWF?W*wLX8W`&9}V`nTJ&rE
zXl$cJUCV>M&Iv%&ienJ+c-@?xWzHRc&L>$$_wdn&T2rc_8)QJ$JdU)NBxSjvu?z2`
z#E#tYYS<o)2x2drgd_mku`dD1-Xtk6C;B@0K7P<-QtqZz9OUOUI+%E4HKs^2D1{<p
zbdnAeeOkhsMb$eJa%9HDtbszv=mj*&ENn)lbRyZl@s5WbrP6E0zmOihA$8dkT-*A=
zae`r|V=R+e&hfh0^Y;aldJ4IJD;jM<>*s5;r50FguLF8nsixiY;i75w-cDiU%a~=%
znsn4^UKmlr2?vfNzd06EfN$XYYHO*E4z@s!qR_Zv)>#@_T85B1;(2n1|38l-KGFxK
z`~EL0T|0aB{;+qzkN3at{QiTO%Opb5G=6{oOOe#a_rD*4-t_<L$2HG?cayxw$-cw?
zG>Q;E`=6T6=lws4ef<98gU}bB!A@MjO#}dEUe%<7{O#w+Gxa$Dd;zMy7uUYqf=%m{
zT?^WU2l{ng)(zN}pj#GAnfajIfVKPlh#}A`{RS+`7R<_U79ZOvE<(V+`7Vfl2YY@G
zzrG9m?n@K^X0gz(!KbEw1z-G#eDTHC@K509?Bn4fxQmPK2EL9-@cwO5)7Ewc_Ag!`
z1)UMhZ8xvt8E&4=U_rReEBJX9n<rHES!K7;w=ezz2Js9X&gc2q;8SkjJilrq5Cfmu
zvGPF=e7XyQfBqVN{`$}JMcvK%pUPM40DLO!+y}pYwySg=^mz^*nCEZ;pC0p?wLZ8%
z{sjK}H{gFf0E15`_!Tgl@C%d93>$y*7eBrN`V%}<_76>0RaxxXMf*J4D)=1y{u{83
z`~vv&t;RCqAO@R<lA!G7S$_68@ac>bv^@{}<#@oSaWMybmdz%h5aivO;d^oTCFgB|
zfS)z~yW!o#;%A6K4BRd78TbYyg7^ibf7t33lH#Qi-(bA9%oleR;H$6L-Y|bMIIFm;
zZ7ScLf%x7%Vt!`NQ85Q%Sv*2(j`6a#!{3{ST)sK%<Hna(@V&o+P8Vn19O!RB@cjHd
z`y(jpnb*(1gD?J)H6YxK4eVxi)7&TZ74WH70-t{B+KoS}oCW{%r@tdli|@bwX})7-
z%#gmiAMPS8__x13@dp9??z?~Av&u_RyPI?L#XQ){%lI+l7cWux_XI5~$97ZTC3_z6
z<;geS+>d@6y?2dX<W_IjHe`13O5GzR{)=%3eh+^6CHNr#c8&Ai%`u048@n%g;7oJA
z*7rJxBF_Z&j67p7M*M>t+O0p><Ii054WPe8_7d1UT$%MRQ}iKnuTy{buRG`H#t`N|
z+qb$NH;pLzY<|VmTQwi8-CgYUHc0!BHmO=Qk*rjCi?m|lE}j+`GJqZb`<^?14H&Y!
zlH;ffSF+YSGt3P4<J@xxGhJLwZQJHgfA=|mI+a4H>#^g;WP+Kzl@jCkDTl$G3PZKw
zZ}9={Ib(}=+NZg4p4NZ!qj7ah{DgwHX;oju<o8yO6=+Jt<f9m~TlGQ*yUydCO?#8_
z=dmqp6^1fdwf=HR)<V%&O9vT63D8Dw1y@?7&Yv>F;KV88pMY8-0X$#^{~2GmA&~<e
zQiWT-1%`&eGJuLoGO1!W+=@i2we->YFKtbFcGpV!BA}SG%Y%Oev~GZovv}&RNn{f0
zs#1kYC{CFLobBe{@6ycaY7&uJqXRJZ?&VvPYq2B7;H}uG_z4yugQMhQnvLY_FA~y`
z8xvH-YLtNp;mWw%m^Q#(7-Ay<|BT~&b-7={T}SJ}HjSrK&-vNZ^Lm>9d1_f+(irOB
zluLCrPL-B{)e(Qkt#Q`qWzM@okQ)8H1tuz=*$q5?w8UM>>~)l6+hu8|RBSo)i=KDT
z^cyy1(P+Z-42t`Q=~QJk;emXrs8H`yOb-i3GFa90`0OA{HWT;wP&L)PRLQZ3s6Q~|
zFW9NBxvppa<9>ZSV50KjVgDoy6_vHP2~`JoA2jq@sWyMc8kw1WnYy<j@w)Jy>%G2f
z!D!Yf!w}K5WQgFT3|<H`B-r}I3(1Z1guD4GI4<~WrFb}ff@BGPkQVVnS%%0?ttRT$
zRMMDpv}f7f^x`)jhzTcoQZR;=^EaHg$2`>~Z7p`_jf38&a2NEuhBjf;k(lUCj5K|{
z`LF8Rq4IyOB~pG4NS}nt^|7De24O|IOj5N$z_VLA9N<AiKJdZpwyZe{(zU<3yPQQ5
z>!RFw>}DCoK+b8ps*&v)S4Qdjxl4@I8*RAyuu&Y=KjH^#)a?%)m#3bV3G#!R$KI*{
zVeC{ehYPf!)eN{|`R6O~;d?FuIMljle+38=-|>GK6DQsZ`W8Qa>i1t$==AmuCxicE
zX@%PtS;HLi-247V{rw+%wiw?3IEj1)ZjZKx`TftL|M!3P#q8kyuleP0{&xyFWA@Kv
zUzr09r8DvV?_Vdc*$cQ#4O~CKAGiqZDhOsyOUWl1($s7PpG`&SJlt`^<?J=N&SLJ^
zcMgC3;#|CNUd)AIiKg#v;ViBkkDS|?<DEO?4r%0TNCzi7`WlbN|JlWSHsJp$<Q`6b
zlr`?ffBULs|I7Joc>m)has>Rx6k)1_rjNPQD3JY3tx1RO_S)Zgwvg$5i5vyFcNa{v
zPZ=Lyl|?Q7vn(EKm996G6ekmNP@KmhttnbeztArL9`^jd$^S1e2K+yTH0@uWr5xE0
z9&i5{(}ltQCy;LYn<KQNtx@p5tB2d)K0jyvXPe_Z8Osc;<hWbf%QtTSK?WIQkU<6+
Q<lB?~0PX;gNB~d(0D!4$i~s-t

delta 4573
zcmV<35hCuqCFvx8ABzY80000000ZngceA5*lKyx26xg2iuFbwj4l1u*hY%nX5CS9w
zd#)*R4k8MC{_ck~GhWA?3*))ls_Clt0Cm&dzs^6vZ(aD4KNyf1Xp(#!XZYpuagGug
zg`p@;QP?L4ir_f*2}u6Yirt}WTDu0pPwKL4{~6u8@c*KJ;LrYl_WZ!^vi6lTuklsm
z*M02z&HIyacQ8c|{|)~W6peoZBJWRy--nO>hnpt)Lu<ez|LJ$-KThB{j$#Nk`yWLy
z@?-vg2zcxN`R`R!Htnmrv0tVB_*`|)`;zgF{6`U*`i1|=`{85$e*l>M{xrKBWM^37
z@?>-9=wkeT{c^<~+2#G`@VHuP%JQ0p$Sx#s>9QkZ4_^hN&<|~nr&q1u&839w)=}K)
z{TWFJm4uGx%nTzfG?i2f^i8L6dn-*`np-T_XPEOgi+$t>(jh!-qEt<9g~r9I+hH8m
z!F$SWR?vA(%Zpn=?~L|#?mOz#jAsTN2ydrK-Iis4H;Lqq+Hrk3a2!p0eO-$N$6vPR
zjnX4Xa!3x?_P`BW=GN&|RA2^iR3}7;AaO?~t4Q^)BBr-eA#Bh%LXw<^H|s08biGFI
z!w%;0u-iJQglUJPb3nI=bhy<1wr98AwIE=Bsc!n7S~pw@M|oU&+w)Zns<c~bvV1r#
z)b;v*95N6_qVd_4%cQo)?wqyII<L@XwQ>0|=EvS^@o8c6`lLFxe#V!&$oYl1AEuLm
zkACJj*raXu6K(mv*L!;DNSV=u=Rkl0r9}=Dy4)bHpwq|Y!C8<umG60G<8E>~D*fXY
zYRKzNfHKax`JuFpIda8pR!*)ZMtX$<-0gFJgF(#1QtDfZAUCTVGIN`rqYiiYmRUQy
z-Iz2w-h2bz<Nx36tcnZ&De`SE^P2|vzmDFI@V|v$)qmf^ND^J#d%*jW@u>g5uKPds
ze+tKcQU3`FLq6934*^eiSn{GIg9n9|HEj(ls&r;`9^CTg0}D9#GINSYZ>X(H+Iq=<
zqd%}qk?fuPbU)>te9>7)_AT7|2D=~b|J%vM!qzf?<0$K=+u=^cEsx|X>cxp+aZ@?3
zF_cj`)9agwGHbS8-5k~1L&q|NT>s8v6YsT3_7nc91DEipT>qy`fxFUN-epU79|++s
zIn`3!Da9e-(?NFE)dG?aZ5U2*+Y=stA)u@DATo|Jth{h>3Y^Q0-$WP$OiC3uT%!oB
zfJ`J8ugDv5*H2h)dIwio)3^<`L1sH6%1lFTtcyIc$8Wv?9;W5x)$g1AgZTfS<^TJd
z0pGR%o74T5^B;i{AM^i1z<vIE<MPK0$i1EcGixQGvd)wD-z4F;ga5Z;|Kps0@UI2G
zxBq*eGTzbuNrc3H+5ZWI{+RzC0{+1Mzsw%}-+Odww*chmfg0wU?}R4L4yR<WD^uo(
zgFFf&WES3lGm*pWtd`uS)lFnInY$5Yozkc$LA)QNfM6MtbSlLa$rs4zq+udj5`Gx^
zqlyMYG4C}c<EE|3Rcu<kwYQLeuuLzzHf-yDIutt=&Qxd$0M~>@w06%9-DSId7Rc^l
zts&Yj4q46|*ZVYGqEi@l5bjXaEej)I%ru=|$kJ3!ZJdM+*Y6!5rA%v)bv*AbmSzye
zkU0>i%Qb3KTHD+-&n!KOjFeHOy5nW-tQ=z3-(+GJ=L=0vlT@5qtsH@WRYu`)J#d9x
zK?)w8G>3*FnynPVDz9rTv!jBtcHt?}^-MXbH`G*=w)4#Fva%%#YwFB$f(Rh5p2Lop
z<-UyeHSTx}Y(zYR7+8vW!|4_l)h*fYQK4mu%D@&45+{2IyA*|kpD1zMoNGzA+<>5%
zXm8cEN6lL=PY}ZDIqbWCCv|sIxC>`>guPC=zCPHE8dS%exs)7NhTRe7ju@GiXtnL}
z1rF@Utd~Uz(<#Q1<-K9=HwIS;rqg1#U9iN)ktu0@LEp!vSXNF0wARtR68-#H1aJ>F
zamnrli4m{H>e#IkH=1{@8{Cy)$$&Y`@wIB}sv(~o8(-X#hs8yIQ=)Z2E{$`{3EO1|
zslaBj&q+zT<(fP-JB0Tx%m$ewNN7$W#S*!win{1Y+l?^N=FX;>sTv1`JOvGoi^^Oj
zaKV6RpwgzzWxA{)q~&9xWZ8TlO`8qtxrDUqTMX(N%al~NI;9Y-YkO)>n<cSh>q#UJ
zxfobZv|KB|(O46IW}oj5f<TpybwFbGR2bW}b})4&_3Ko)VFLznG^6_*QT3<9lE`I4
zpRW6m^jqS}uoZR%f@DDmd=9~-KWueKw6_sb8Kni~8X-t?ZPiiU^^Da-JB6`14_JI?
z>n&**IN{rcG3>KJ-%5bKU0`^iprxwFLR-lfSJ;~y$~C8dm8?3!hB~*sBTMC^v>8ca
z3-k~*@!1}iXXZjO5PqcV6JG%8a8_EDCwsgQc#YAAY{;EXj7YYoro84a)M?WT6dPWp
zU8)SJ+*w=M*6Ic9jgaL`YAmNv4~V+13wgqw!>ekDwAX0(;5ALZJ=_%kQB(GFeR+fh
zYk0Upq`{hh=&)0YF{?bV-P>hBw-7L1H@3L2w~%j*;>h6>XYr^0EMKMw6}8oNDafPP
z8z#kesgkITN5n}!g(N2?B2q@Tw7fEM1JF6%=3?RAR+Ep?z7X&?Bsq4SY<dzphUpUT
zSW3Z~3kh4KUu1%8Q<>v71$n5hG=*&W$&Mo6z$lA<ah%fq7P<6@G$6uZm)F{s6;Ko{
zl~$7YwqNea-EeUAwQ}7t#E3E1cw&+zA$d@09=&J+7`%{*{Jblf3wm{QKd~kyzi`y)
zq{Li~jKncHTDwHYhTUy_xkv>fD#|{N14BS=LAr<$|AcD*%y)#tu7`TB?1upzaDIg>
zt+OtFP|CK&uU@><TIpQvl@Rt6>e%5svWxmqyR2~DE8ytpY(q-}ZbfPwp@S}C6M|(#
z8F%8Y3su1y7*#UGq_!5Mi>}8-(oM^1y_coArd=jWWVr|mE<)UE4Rr-XIif6nSn<nd
zx5`hu%ZN6X10M$)4kjy^ED2rKA${tRW9XZIfkm%27YypNWVNawJPb7J9uz>2`nhqg
z0@TE4e#uLSt;L8$tZtG!PQ_NoQg2NvgzW_GO;rN!I&#h#bKt1xDT)$AbaDw<23E9q
zfv|!q;d)}c-Qtu$YaDZNt;BkMuZ!A3Tb;#qPon1W+9M)CUF~(rC`@BrizPmq#vx9B
zJz#UP9LTsi8i~=ET#1tHQ*PN=<w`$fao6sme51!5vfQ1ckR$S3MMB+AOFdMjGPf3s
zWX-fbz$!?ed!kv91nki3#kFLK^Ae8q-VRxYT6!DywyVN}o9)xCd^FhOYSFLtqp^(^
zbuAD2Iwt^8D~>_P<8^a(mN|DgpJW+--NQ#8YE7wzZjb?0GaqR$Ny>6TV;9~>i5<D)
z)v!Gp5yW0L2}uC7V_yQ2y-8ADPV{x~ef*%wq})xbILOaybTIM8YD|%4PzpuH=p-E`
z`m}^Mi>h}d<j9PPSp$WT(F<slS=fw9=|r-9;~ft>N~PC~e<3}1L+Y}*w)KM#;{?M_
z$5<w{oa1$~=kEiPehRsN6OFc@_4BpaQVXoL*8#n(RMYPHaM3h-Z>KQwWy~^WO*(2d
z4@Q)5!hz$+Z;k~O;2ZcpZ7tQ&!4}9-6dG5|I!i-K%MemWJWuZM|L1YUNBF>S-~VN$
zYiG~iANCIT@&5On-+vGofg>n|5cl`L6oGzx|N9}}r~ZHYxaRqPZj$%7*mwA!B60Lb
z{}Tv$-~W^7$L~Kr2z>r2?8F7!L;!H+RZTj`-+YEVQ=b9A=b-9)aqYV;*tA~RwV+*i
zpkLQz-GFTgx@FOnnGf0xSi8@U7y`Z0Z@{8#!K@5t^0AHLA_V-K?}F&Ju;=&i+q<xD
zzd!+CCJX%<d}>;M@a6Z&=bwKC{{Vi*J{}%|ySV6X;M<r4@82dhZEaUz|MHEdpfiHG
z?dDZHtDC2@vLM{%75qGt%?m2~tg_qao0oq9gLqaQ&gb>m;8SkjJilrq5CfmuvGPF=
ze7X~YfBp)7{_4;3McvKvpUOAr0DLO!+y}pUwyShz`aB1J%yT$_PmguYQXkmwe*pje
zYw$lF3WHB5_$4r#@N-b}+pYp-za7dt1>>Ui>v@ObH$WVKe+Qoe@UxfSzftrDc&O}G
zO;=S}?Ak^9JliVx4E*kEu#Nlzc=4OYGU6Zxn}?8~?B-Q|`Wf(I))TZn5Bxbl;DuYg
zTO53^2tUVv{1zeLXN~`Eo$j&lqh3J_+?V|+_zOM$VU;)Hi`VA*3F55{KELw?-+Zt3
z6LW$y-@B})^4(dw@7-hLNA&FfIpoUX5kzw|m$e=Kp7L_}Q?`#AUoYMF{t7x>oOyFd
z|Aq$7&(E{vgR-7+{ro%l@-JBf!p+#gZe};leNkV30x!H0c=5uu8-Er#6aMK>e@C7c
z-+lGNe8-HKRr>ONxRbQt-~RT*9|Z8*Z-37!uSxB0&c>HBv)7mLW5q9DYvJEhv8){1
zO@Y_wnd9q|ufM(@{Wf~<61~W+ep}j**~J@ikKq3=1{?St_{A6ChfuI<ocC^yxxuut
z`x*y-&M;?YeXnRJ@=RdQ$TJ3G#6Pg1-TH$){)k0?qUf(Rd#%{auFU$^dHEo@SET!Q
zoO5(z2=h$Q&lraNXZzN+n>G+cpYd00)2eqU0YVx}d1#wdt=dYcRo*H^#vY7S<8{|I
zgum~ZwE<)7kVpiH#v`E+?`?Kw_RQH`!=LJZ;x>OujY5%SbKnM~S1{RQDUPlpUIruS
z`*OzLf(?W-j||qd%5qshg`1+I#gzCig4Hw@UqthBp~P?%g`)Xa9C27xLI;P={ew-}
z&Fn?k0*VSvj*MJ+HY8giEz1FaOp_33qvnG5RGH0RGMC^K=>>0rS|S8Ipa<s_x0{iF
zNPrHJ#FU2sP9IqIhvquvT2tvc!li%|LJD{W`)Wwz%p6%$60rxvpqE9<)%dy(OOcq!
zDGC5koGUR7BkNquWbgu=kw!;yv?d;>ZxNE3SOH<?Y#q-PJ|Yy82xtaKg?(q9?`wGG
z=9zMY$t<#v3@M11U`(c|57zFRUgvXv_Pds0AUWh~IoH{+We;0Yd9G2iR15Wt#)pJ8
z#5&Z5`vKUK4pS8bbz^`Tdhz8XjOT;Q6_J?p>P}03!o=U%Tj|3uQ2QH9me;%N`g}{x
z?4r#`SN3AotS_iI>%Q@za<;iTMng~A@gi&J6Au87oNK-HIJvmhV`LEvcMo`fHF5p|
zSpt;{p<~nb$qJH?i}@>vA4nZy2d#V#uMl|!sWeIhkm4ANATrhgDmVAFJ{v3QS)PeM
zaYc04Ou{s|7UE|u2rAsZXi~IdiQPC{9rBmqx_nS%QEDQZsuWIiS!JqNlq~^l`D7xU
z1nAfFrR6{$_Zs0zD#P<!rBKO#A#GN$VIc==PHUSH@syveT9@zffcIrQGzqLYrobVm
z6^(NYw2^rp92)z%+nQ*vuRTNS&4*%hQy`ujjq-RXX&%|i3jw8864>Ju)u5?hy5lNM
zI~l~p;Om9>{fwD0C$RF~F8~GN3D-&2;~4f9Z*HpNSF``h(nC2eD@4|RgN&i~|6AYx
z&;S0T)9u&q|L;X^L6)73p$~cb)$f0Gj=LMb|LL97=Rf<9r%ch9C`!G}l`0ljzdklE
zISP35;#!W2KL`<8vP~ul1CRH)o@VkgWKI={EO@x!nm0M;WSRY**%_Ji-aI}t&w4^L
zA6+);oBdPMCUe*|?Y2pO)}bKg|0N~#W9MVsAOE|@y>5;F`;aa4b0=eL#sAJ}!T%?{
zZvFoMUStROk1qU33PpbtPhl_U#Bxf?x8~>0%<c#;S`Cq4?`e<RR(ul+bdv4g@SkCD
zT_X#<gJI8yFZ%c}34EH8A3e|w@ZIiz*ZKcRegC@`S@(Z-Y_Q`*IJm$6yG$2q|L;M{
z{jX1pb~Z-J|4#4j|4zHj{I8==uDrmD!Af?k(n=n=|7)qGmRf45rIuQ1d0g@jJFp2n
H08jt`7RWre

diff --git a/overlay/etc/local.d/headless.start b/overlay/etc/local.d/headless.start
index 1fbcbca..b0d3d2f 100755
--- a/overlay/etc/local.d/headless.start
+++ b/overlay/etc/local.d/headless.start
@@ -15,12 +15,12 @@ ovlpath=$( find /media -maxdepth 2 -type d -path '*/.*' -prune -o -type f -name
 if [ -f "${ovlpath}/wpa_supplicant.conf" ]; then
 	logger -st ${0##*/} "Wifi setup found !"
 	apk add wpa_supplicant
-	cp "${ovlpath}/wpa_supplicant.conf" /etc/wpa_supplicant/wpa_supplicant.conf
+	install -m600 "${ovlpath}/wpa_supplicant.conf" /etc/wpa_supplicant/wpa_supplicant.conf
 else
 	logger -st ${0##*/} "Wifi setup not found !"
 fi
 
-if ! cp "${ovlpath}/interfaces" /etc/network/interfaces; then
+if ! install -m644 "${ovlpath}/interfaces" /etc/network/interfaces; then
 	# set default interfaces if not specified by interface file on boot storage
 	logger -st ${0##*/} "No interfaces file supplied, building default interfaces..."
 	for dev in $(ls /sys/class/net)
@@ -77,22 +77,26 @@ rc-service networking start
 
 
 ## Setup temporary SSH server (root login, no password)
-## we use some bundled keys to avoid generation at boot and save time
-## bundled temporary keys are moved in /tmp so they won't be stored
-## within permanent config later (new ones will then be generated)
+## we use some bundled or optionaly provided keys to avoid generation at boot and save time
 apk add openssh
 
-mv /etc/ssh/ssh_host_* /tmp/.trash/.
+# bundled temporary keys are moved in RAM /tmp so they won't be stored
+# within permanent config later (new ones will then be generated)
+mv /etc/ssh/ssh_host_*_key* /tmp/.trash/.
 
 cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
 cat <<-EOF >> /etc/ssh/sshd_config
 	AuthenticationMethods none
 	PermitEmptyPasswords yes
 	PermitRootLogin yes
-	HostKey /tmp/.trash/ssh_host_ed25519_key
-	HostKey /tmp/.trash/ssh_host_rsa_key
 	EOF
 
+# inject optional custom keys (those might be stored)
+if ! install -m600 "${ovlpath}"/ssh_host_*_key* /etc/ssh/; then
+	echo "HostKey /tmp/.trash/ssh_host_ed25519_key" >> /etc/ssh/sshd_config
+	echo "HostKey /tmp/.trash/ssh_host_rsa_key" >> /etc/ssh/sshd_config
+fi
+
 cp /etc/conf.d/sshd /etc/conf.d/sshd.orig
 cat <<-EOF >> /etc/conf.d/sshd
 	sshd_disable_keygen=yes