0060_ssh_key: add private key escrow via IPA vault and README

Provisions ~/.ssh/id_ed25519 once and stores it in the FreeIPA KRA
vault so the key persists across reinstalls/new machines instead of
being regenerated each time. Guards against silently overwriting an
existing vault key on transient failures (missing ~/.ssh, vault-add
errors, ssh-keygen failures) before archiving.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

client_software/0060_ssh_key/README.md

@@ -0,0 +1,20 @@
+# 0060_ssh_key
+
+Provisions a per-user `~/.ssh/id_ed25519` key and escrows it in the FreeIPA
+KRA vault (`SSH_PRIV_KEY`), so the same key is reused across machines instead
+of generating a new one on every install.
+
+Run as the logged-in user via `client_software/user_run.sh` (needs the
+`DAVTOKEN_USER` environment prepared by `sync_client_software.sh`).
+
+Behavior:
+- If `~/.ssh/id_ed25519` already exists locally, it's left untouched.
+- Otherwise, tries `ipa vault-retrieve` for `SSH_PRIV_KEY`:
+  - found → key is fetched, permissions fixed to `0600`, public key derived.
+  - not found → a new vault is created, a new key pair is generated, and the
+    private key is archived to the vault.
+- Requires `IPAVAULTUSE=true` (KRA available); otherwise the script is a
+  no-op.
+
+Note: this only handles private-key escrow. Publishing the public key to the
+user's FreeIPA entry (`ipa user-mod --sshpubkey`) is not done by this script.

client_software/0060_ssh_key/user_run.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env sh
+# SPDX-FileCopyrightText: Daniel Pätzold
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# If IPA-KRA is available, use it to store or retrieve personal private ssh key, so that the key won't change every time on new installs
+#
+
+#Check Token
+if [ "${DAVTOKEN_USER}." == "." ]; then
+    echo "Error: Script cannot be executed standalone and needs a prereserved environment from sync_client_software.sh. Quit."
+    exit 1
+fi
+
+KEYFILE="${HOME}/.ssh/id_ed25519"
+SSHVAULTNAME="SSH_PRIV_KEY"
+if [ ${IPAVAULTUSE} = "false" ]; then
+  echo "No IPA- KRA service configured, SSH Key provisioning to and from IPA is not available."
+else
+  if [ -f ${KEYFILE} ]; then
+    echo "SSH Key already present at ${KEYFILE}. Leaving it untouched."
+  else
+    mkdir -p "${HOME}/.ssh"
+    echo "SSH Key ${KEYFILE} not found. Getting Key from IPA- Vault"
+    ipa vault-retrieve "${SSHVAULTNAME}" --out ${KEYFILE}
+    if [ $? -ne 0 ]; then
+      echo "Seems there is no key yet on IPA, creating it new."
+      ipa vault-add "${SSHVAULTNAME}" --desc "SSH private key (Stored by OEMDRV autoinstall Modules)" --type=standard
+      if [ $? -ne 0 ]; then
+        echo "Error creating the new Vault named ${SSHVAULTNAME} on IPA. This should not happen, aborting. Please check."
+        exit 1
+      else
+        ssh-keygen -t ed25519 -C "$(whoami)" -f ${KEYFILE}
+        if [ $? -ne 0 ]; then
+          echo "Error generating the new SSH key at ${KEYFILE}. Aborting without touching the Vault. Please check."
+          exit 1
+        fi
+        ipa vault-archive "${SSHVAULTNAME}" --in ${KEYFILE}
+        if [ $? -ne 0 ]; then
+          echo "Error storing the Key to the created Vault ${SSHVAULTNAME}. This should not happen, aborting. Please check."
+          exit 1
+        else
+          echo "Sucessfully created SSH Key and stored it in IPAs KRA Vault named ${SSHVAULTNAME}."
+        fi
+      fi
+    else
+      # derive public key from private key when enrolling to new system
+      ssh-keygen -y -f "${KEYFILE}" > "${KEYFILE}.pub"
+      if [ $? -eq 0 ]; then
+        chmod 0600 "${KEYFILE}" "${KEYFILE}.pub"
+        echo "Sucessfully fetched SSH Key from IPA."
+      else
+        echo "Something went wrong with Key provisioning, please check."
+        exit 1
+      fi
+    fi
+  fi
+fi
+
+exit 0