From 439021f798bf08451a027a3218fc44b26bc756f3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 24 Jun 2026 22:15:24 +0000
Subject: [PATCH] chore: harden ssh bootstrap script

---
 modules/core/ssh-bootstrap.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/core/ssh-bootstrap.nix b/modules/core/ssh-bootstrap.nix
index d200510..dedf934 100644
--- a/modules/core/ssh-bootstrap.nix
+++ b/modules/core/ssh-bootstrap.nix
@@ -41,6 +41,8 @@ lib.mkIf userExists {
     };
     path = [ pkgs.openssh pkgs.coreutils ];
     script = ''
+      set -eu
+
       PASSPHRASE=$(cat /var/lib/secrets/ssh-passphrase)
 
       generate_factory_key() {
@@ -54,7 +56,7 @@ lib.mkIf userExists {
         generate_factory_key
       elif ! ssh-keygen -y -P "$PASSPHRASE" -f "${keyPath}" >/dev/null 2>&1; then
         echo "Existing factory SSH key does not match current passphrase; backing it up and generating a replacement."
-        backup_suffix=$(date -u +%Y%m%d%H%M%S)
+        backup_suffix=$(date -u +%Y%m%d_%H%M%S)
         backup_path="${keyPath}.bak-$backup_suffix"
         backup_index=0