From 31abf40722baf6e23fedad393691fe557f7d6556 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 24 Jun 2026 22:16:05 +0000
Subject: [PATCH] chore: serialize ssh bootstrap key repairs

---
 modules/core/ssh-bootstrap.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/core/ssh-bootstrap.nix b/modules/core/ssh-bootstrap.nix
index dedf934..facbf1b 100644
--- a/modules/core/ssh-bootstrap.nix
+++ b/modules/core/ssh-bootstrap.nix
@@ -44,6 +44,14 @@ lib.mkIf userExists {
       set -eu
 
       PASSPHRASE=$(cat /var/lib/secrets/ssh-passphrase)
+      lock_dir="${keyPath}.lock"
+
+      if ! mkdir "$lock_dir"; then
+        echo "Factory SSH key setup is already running." >&2
+        exit 1
+      fi
+
+      trap 'rmdir "$lock_dir"' EXIT
 
       generate_factory_key() {
         ssh-keygen -q -N "$PASSPHRASE" -t ed25519 -f "${keyPath}"