From f0cb63b38a5ed2c449b5eb94bb745913cf75f8a9 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 30 Jan 2025 18:22:50 -0600
Subject: [PATCH] fedora-rpi-common: Fix sshd starting before certs

Delaying the _ssh-host-cert-sign@.service_ units starting until after
the clock is synchronized ends up causing _sshd.service_ to start way
before the host certififcates are available.  This prevents the SSH
daemon from using the host certificates until it is explicitly reloaded,
so clients will not be able to verify the server's authenticity
automatically on first boot.  To ensure that clients (read: Ansible)
will be able to connect to the server when it first boots without any
manual interaction, we need to delay the _sshd.service_ unit starting
until the certificate files are present.

I think this can actually happen to any server, not just a Raspberry Pi,
but it definitely always happens on Pis.  I may eventually apply this
change to the `ssh-host-cert-sign@.service` template unit file in the
_sshca-cli-systemd_ package, if it turns out to be a more common
problem.
---
 fedora-rpi-common.ks | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fedora-rpi-common.ks b/fedora-rpi-common.ks
index 8256d61..e42002f 100644
--- a/fedora-rpi-common.ks
+++ b/fedora-rpi-common.ks
@@ -24,5 +24,6 @@ cat > /etc/systemd/system/ssh-host-cert-sign@.service.d/time-sync.conf <<EOF
 [Unit]
 After=time-sync.target
 Wants=time-sync.target
+Before=sshd.service
 EOF
 %end