[TacticalCoder]

> inject a temporary SSH host (private) key via cloud-init...

Reading the comments here I'm tempted to believe that if cloud-init is available and if we consider Heztner (and OVH etc.) provides a secure access to cloud-init (i.e. the box running cloud-init is really the box you think it is), then there are many different ways to solve this problem.

[jmholla]

I've been thinking of setting up a simple server that publishes the public keys at a known endpoints. You point an A record for one of your subdomains at the machine and it can provision a TLS cert. Then you can be reasonably confident your connection hasn't been MitM (assuming your trust your cert provider) when you query for those public keys.

The one presented in the article has fewer moving parts though. I'm also curious what ideas are bouncing around your head if you're willing to share.