Store SSH host keys in /var/lib/ssh

For some reason, when OverlayFS is mounted at `/etc/ssh`, SELinux
prevents access both `sshd` and `ssh-keygen` access to the files there.
The AVC denials indicate that (some part of) the process is running in
the `mount_t` domain, which is not allowed to read or write `sshd_key_t`
files.

To work around this issue, without granting `mount_t` overly-permissive
access, we now configure the SSH daemon to read host keys from the
persistent data volume directly, instead of "tricking" it with
OverlayFS.  The `ssh-keygen` tool does not read the `HostKey` options
from `sshd_config`, though, so it has to be explicitly instructed to
create keys in this alternate location.  By using a systemd template
unit with `ConditionPathExists`, we avoid regnerating the keys on every
boot, since the `ssh-keygen` command is only run if the file does not
already exist.

overlay/usr/lib/systemd/system-preset/80-local-default.preset

@@ -14,4 +14,4 @@ enable systemd-networkd.socket
 disable getty@.service
 
 enable sshd.socket
-enable ssh-keygen.service
+enable ssh-keygen.target

overlay/usr/lib/systemd/system/ssh-keygen.service

@@ -1,9 +0,0 @@
-[Unit]
-Description=Generate SSH host keys
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/ssh-keygen -A
-
-[Install]
-WantedBy=sshd@.service

overlay/usr/lib/systemd/system/ssh-keygen.target

@@ -0,0 +1,7 @@
+[Unit]
+Wants=ssh-keygen@rsa.service
+Wants=ssh-keygen@ecdsa.service
+Wants=ssh-keygen@ed25519.service
+
+[Install]
+WantedBy=multi-user.target

overlay/usr/lib/systemd/system/ssh-keygen@.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Generate SSH %I host key
+ConditionPathExists=!%S/ssh/ssh_host_%I_key
+
+[Service]
+Type=oneshot
+StateDirectory=ssh
+ExecStart=/usr/bin/ssh-keygen -t %I -f %S/ssh/ssh_host_%I_key -N ''
+
+[Install]
+WantedBy=sshd-keygen.target

overlay/usr/lib/systemd/system/sshd@.service.d/after-keygen.conf

@@ -1,2 +0,0 @@
-[Unit]
-After=ssh-keygen.service