From b60880c8b38175514edbea19484cbec77dedbc2d Mon Sep 17 00:00:00 2001
From: "Aaron D. Lee" <aaron.daniel.lee@mgial.com>
Date: Sat, 3 Jan 2026 20:37:39 -0500
Subject: [PATCH] Add SSH key regeneration service to sanitize script
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Creates a systemd service that regenerates SSH host keys on first boot,
fixing the issue where SSH would fail after sanitization.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 rpi/sanitize-for-image.sh | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/rpi/sanitize-for-image.sh b/rpi/sanitize-for-image.sh
index 7fc72bd..b282883 100755
--- a/rpi/sanitize-for-image.sh
+++ b/rpi/sanitize-for-image.sh
@@ -117,7 +117,25 @@ rm -f /root/.ssh/authorized_keys /root/.ssh/known_hosts 2>/dev/null || true
 # =============================================================================
 echo -e "${GREEN}[3/10]${NC} Removing SSH host keys (will regenerate on first boot)..."
 rm -f /etc/ssh/ssh_host_*
-echo "  SSH host keys removed"
+
+# Create a first-boot service to regenerate SSH keys
+cat > /etc/systemd/system/regenerate-ssh-keys.service <<'SSHEOF'
+[Unit]
+Description=Regenerate SSH host keys on first boot
+Before=ssh.service
+ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/ssh-keygen -A
+ExecStartPost=/bin/systemctl restart ssh
+
+[Install]
+WantedBy=multi-user.target
+SSHEOF
+
+systemctl enable regenerate-ssh-keys.service 2>/dev/null || true
+echo "  SSH host keys removed (will regenerate on first boot)"
 
 # =============================================================================
 # Step 4: Bash History