feat(guests): derive stable machine-id for containers; always start sshd in containers

modules/config/ssh.nix

@@ -1,6 +1,9 @@
 {lib, ...}: {
   services.openssh = {
     enable = true;
+    # In containers, this is true by default, but we don't want that
+    # because we rely on ssh key generation for agenix
+    startWhenNeeded = lib.mkForce false;
     authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
     settings = {
       PasswordAuthentication = false;