fix: generate initrd hostkey if necessary when system is bootstrapped; fix disko partition types

hosts/common/initrd-ssh.nix

@@ -11,4 +11,19 @@
     port = 4;
     hostKeys = [config.rekey.secrets.initrd_host_ed25519_key.path];
   };
+
+  # Make sure that there is always a valid initrd hostkey available that can be installed into
+  # the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
+  # whatever is given, since the correct hostkey doesn't even exist yet. We still require
+  # a valid hostkey to be available so that the initrd can be generated successfully.
+  # The correct initrd host-key will be installed with the next update after the host is booted
+  # for the first time, and the secrets were rekeyed for the the new host identity.
+  system.activationScripts.agenixEnsureInitrdHostkey = {
+    text = ''
+      [[ -e ${rekey.secrets.initrd_host_ed25519_key.path} ]] \
+        || ssh-keygen -t ed25519 -N "" -f ${rekey.secrets.initrd_host_ed25519_key.path}
+    '';
+    deps = ["agenixInstall"];
+  };
+  system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
 }

hosts/ward/fs.nix

@@ -7,7 +7,7 @@
     disk = {
       m2-ssd = {
         type = "disk";
-        device = "/dev/disk/by-id/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+        device = "/dev/disk/by-id/nvme-Samsung_SSD_980_1TB_S649NL0TC36758M";
         content = {
           type = "table";
           format = "gpt";
@@ -17,6 +17,7 @@
               start = "2048";
               end = "1GiB";
               fs-type = "fat32";
+              bootable = true;
               content = {
                 type = "filesystem";
                 format = "vfat";
@@ -27,6 +28,7 @@
               name = "swap";
               start = "1GiB";
               end = "17GiB";
+              fs-type = "linux-swap";
               content = {
                 type = "swap";
                 randomEncryption = true;