trigger new keys generation if supplied key file is empty

README.md

@@ -1,7 +1,7 @@
 # Deploy Alpine Linux on a headless system
 
 [Alpine Linux documentation](https://docs.alpinelinux.org/user-handbook/0.1a/Installing/setup_alpine.html) assumes **initial setup** is carried-out on a system with a keyboard & display to interract with.\
-However, in many cases one might want to deploy a headless system that is only available through a network connection (ethernet, wifi or as USB ethernet gadget).
+However, there are many cases where one might want to deploy a headless system, only available through a network connection (ethernet, wifi or as USB ethernet gadget).
 
 This repo provides an **overlay file** to initially boot such headless system (leveraging Alpine distro's `initramfs` feature): it starts a basic ssh server to log-into from another Computer, in order to then perform actual system setup.
 
@@ -11,14 +11,15 @@ Please follow [Alpine Linux Wiki](https://wiki.alpinelinux.org/wiki/Installation
 Tools provided here can be used on any plaform for any install modes (diskless, data disk, system disk).
 
 Just add [**headless.apkovl.tar.gz**](https://github.com/macmpi/alpine-linux-headless-bootstrap/raw/main/headless.apkovl.tar.gz)[^1] overlay file at the root of Alpine Linux boot media (or onto any custom side-media) and boot-up the system.\
-With default network interface definitions (and SSID/pass file if using wifi), system can then be remotely accessed with: `ssh root@<IP>`\
+With default network interface definitions (and SSID/pass file if using wifi), system can then be accessed under `ssh` with: \
+`ssh root@<IP>`\
 (system IP address may be determined with any IP scanning tools such as `nmap`).
 
 As with Alpine Linux initial bring-up, `root` account has no password initially (change that during setup!).\
-From there, actual system install can be performed as usual with `setup-alpine` for instance (check [wiki](https://wiki.alpinelinux.org/wiki/Alpine_setup_scripts#setup-alpine) for details).
+From there, system install can be performed as usual with `setup-alpine` for instance (check [wiki](https://wiki.alpinelinux.org/wiki/Alpine_setup_scripts#setup-alpine) for details).
 
 
-Extra files may be added next to `headless.apkovl.tar.gz` to customise boostrapping configuration (check sample files):
+Add-on files may be added next to `headless.apkovl.tar.gz` to customise boostrapping configuration (sample files are provided):
 - `wpa_supplicant.conf`[^2] (*mandatory for wifi usecase*): define wifi SSID & password.
 - `interfaces`[^2] (*optional*): define network interfaces at will, if defaults DCHP-based are not suitable.
 - `ssh_host_*_key*` (*optional*): provide custom ssh keys to be injected (may be stored), instead of using bundled ones[^1] (not stored). Providing an empty key file will trigger new keys generation (ssh server may take longer to start).
@@ -26,8 +27,9 @@ Extra files may be added next to `headless.apkovl.tar.gz` to customise boostrapp
 
 
 **Goody:** seamless USB bootstrapping for PiZero devices (or similar supporting USB ethernet gadget networking):\
-Just add `dtoverlay=dwc2` in `usercfg.txt` (or `config.txt`), and plug USB cable into Computer port.\
+Just add `dtoverlay=dwc2` in `usercfg.txt` (or `config.txt`), and plug-in USB cable to Computer port.\
-With Computer set-up to share networking with USB interface as 10.42.0.1 gateway, one can log into device from Computer with: `ssh root@10.42.0.2`
+With Computer set-up to share networking with USB interface as 10.42.0.1 gateway, one can log into device from Computer with:\
+`ssh root@10.42.0.2`
 
 Main execution steps are logged in `/var/log/messages`.
 

overlay/etc/local.d/headless.start

@@ -3,7 +3,7 @@
 # Copyright 2022 - 2023, macmpi
 # SPDX-License-Identifier: MIT
 
-VERSION="0.7"
+VERSION="0.6"
 
 # Redirect stdout and errors to console as rc.local does not log anything
 exec 1>/dev/console 2>&1
@@ -82,7 +82,7 @@ rc-service networking start
 
 
 ## Setup temporary SSH server (root login, no password)
-## we use some bundled or optionaly provided keys to avoid generation at startup and save time
+## we use some bundled or optionaly provided keys to avoid generation at boot and save time
 apk add openssh
 cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
 cp /etc/conf.d/sshd /etc/conf.d/sshd.orig
@@ -94,35 +94,33 @@ cat <<-EOF >> /etc/ssh/sshd_config
 	Banner /tmp/.trash/banner
 	EOF
 
-# Banner file
+# banner file
 cat <<-EOF > /tmp/.trash/banner
 
 	Alpine Linux headless bootstrap v$VERSION by macmpi
 
 	EOF
 
-# Bundled temporary keys are moved in RAM /tmp so they won't be stored
+# bundled temporary keys are moved in RAM /tmp so they won't be stored
 # within permanent config later (new ones will then be generated)
 KEYGEN_STANCE="sshd_disable_keygen=yes"
 mv /etc/ssh/ssh_host_*_key* /tmp/.trash/.
-
+# inject optional custom keys (those might be stored)
-# Inject optional custom keys (those might be stored)
+if ! install -m600 "${ovlpath}"/ssh_host_*_key* /etc/ssh/; then
-if install -m600 "${ovlpath}"/ssh_host_*_key* /etc/ssh/; then
-	# check for empty key within injected ones: generate new keys if found
-	if find /etc/ssh/ -maxdepth 1 -type f -name 'ssh_host_*_key*' -empty | grep -q .; then
-		rm /etc/ssh/ssh_host_*_key*
-		KEYGEN_STANCE=""
-		logger -st ${0##*/} "Will generate new SSH keys..."
-	else
-		chmod 644 /etc/ssh/ssh_host_*_key.pub
-		logger -st ${0##*/} "Using injected SSH keys..."
-	fi
-else
 	logger -st ${0##*/} "Using bundled ssh keys from RAM..."
 	cat <<-EOF >> /etc/ssh/sshd_config
 		HostKey /tmp/.trash/ssh_host_ed25519_key
 		HostKey /tmp/.trash/ssh_host_rsa_key
 		EOF
+else
+	# look for empty key within injected ones: generate new keys if found
+	if find /etc/ssh/ -maxdepth 1 -type f -name 'ssh_host_*_key*' -empty | grep -q .; then
+		rm /etc/ssh/ssh_host_*_key*
+		KEYGEN_STANCE=""
+		logger -st ${0##*/} "Will generate new SSH keys..."
+	else
+		logger -st ${0##*/} "Using injected SSH keys..."
+	fi
 fi
 
 echo "$KEYGEN_STANCE" >> /etc/conf.d/sshd