Thank you @sam , I went the little extra effort and started hacking a solution myself. However I’m partially stuck at setp 1.
The most logical would be to give the container an already pre-authorized SSH key. I’m trying to leverage Pups’ automatic import of environment variables as params. I saved the key in such a variable, and modified the sshd.template.yml in the following fashion:
Shell command
discourse@machine:/var/discourse$ export GIT_PRIVATE_KEY=`cat /home/discourse/.ssh/id_rsa`
sshd.template.yml (last two lines of this block are mine)
- exec:
hook: sshd
cmd:
- mkdir -p /var/run/sshd
- mkdir -p /root/.ssh
- echo "$ssh_key" >> /root/.ssh/authorized_keys
- echo "$$ENV_SSH_PUB_KEY" >> /root/.ssh/authorized_keys
- echo "$GIT_PRIVATE_KEY" >> /root/.ssh/id_rsa
- cat /root/.ssh/id_rsa
However, woth syntaxes (with one or two $ did not yield the expected result.
(I know the sshd template and web ones are not called in the correct order by default for this to work 
But the cat command itself should produce the expected output, which it doesn’t.)
Edit - Environment variable insanity.
I realized pups is run in the container, not in the host, so this would be the container environment variable. I tried passing it through Docker args, but it fails. The variable is not properly escaped, even with the added quotes.
discourse@machine:/var/discourse$ ./launcher bootstrap app --docker-args "-e GIT_PRIVATE_KEY=$GIT_PRVATE_KEY"
Unable to find image 'RSA:latest' locally
Invalid repository name (RSA), only [a-z0-9-_.] are allowed
cd /pups && git pull && /pups/bin/pups --stdin
User args:
GIT_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAuRquuVBtx06RM9/bU104PLPzxX0fHmjkIILvYyXe/h44yyMo (snip) b/njJsNjvo9zGfhomcs2QOh8Yb7jIzooHqI6ApSUOhu7e0+uZ3Lu -----END RSA PRIVATE KEY-----"
Unable to find image 'RSA:latest' locally
Invalid repository name (RSA), only [a-z0-9-_.] are allowed
cat: cids/app_bootstrap.cid: No such file or directory
docker: "rm" requires a minimum of 1 argument.
See '/usr/bin/docker rm --help'.
Usage: docker rm [OPTIONS] CONTAINER [CONTAINER...]
Remove one or more containers
** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one
Edit 2 - Key apparently passed to pups.
The solution was, surprisingly, simpler, and in Docker’s manual.
discourse@machine:/var/discourse$ ./launcher bootstrap app --docker-args "-e GIT_PRIVATE_KEY"
By not setting the variable, it defautls to the value of the same variable on the host.
It shows in pups’ logs, but authentication is still refused. I will try with a different certificate soon, but it might be mishandled whitespace problem still. If push somes to shove, I’ll lower the security to a simple passphrase.
Don’t hesitate if you have an idea.