# 0060_ssh_key

Provisions a per-user `~/.ssh/id_ed25519` key and escrows it in the FreeIPA
KRA vault (`SSH_PRIV_KEY`), so the same key is reused across machines instead
of generating a new one on every install.

Run as the logged-in user via `client_software/user_run.sh` (needs the
`DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).

Behavior:
- `~/.ssh` is relocated to `${DECRYPTEDDATADIR}/ssh_keys` (the user's
  gocryptfs-encrypted data dir) on first run: any existing content is moved
  there once, then `~/.ssh` becomes a symlink to it. Subsequent runs detect
  the symlink and skip this step.
- If `~/.ssh/id_ed25519` already exists, it's left untouched.
- Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
  - found → key is fetched, permissions fixed to `0600`, public key derived.
  - not found → a new vault is created, a new key pair is generated, and the
    private key is archived to the vault.
- Requires `IPAVAULTUSE=true` (KRA available); otherwise the script is a
  no-op.

Note: this only handles private-key escrow. Publishing the public key to the
user's FreeIPA entry (`ipa user-mod --sshpubkey`) is not done by this script.