debug

common/boot/remote-luks-unlock.nix

@@ -48,6 +48,41 @@ in
     # Use systemd-tty-ask-password-agent for interactive LUKS passphrase entry over SSH
     boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
 
+    # Candidate fix: OpenSSH resets connections before key exchange if its
+    # privilege separation directory is missing. The old scripted initrd ran
+    # `mkdir -p /var/empty`; the systemd initrd path in nixpkgs does not.
+    boot.initrd.systemd.services.sshd.preStart = lib.mkBefore ''
+      /bin/mkdir -p /var/empty
+      /bin/chmod 0755 /var/empty
+    '';
+
+    # DEBUG: independent one-shot that records the real initrd state before
+    # sshd starts, so we stop guessing. Never fails the boot.
+    boot.initrd.systemd.services.luks-unlock-debug = {
+      description = "Diagnostics for remote LUKS unlock";
+      wantedBy = [ "initrd.target" ];
+      before = [ "sshd.service" ];
+      unitConfig.DefaultDependencies = false;
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        echo "===== luks-unlock-debug BEGIN ====="
+        /bin/id 2>&1 || true
+        echo "-- ls -la /var --";        /bin/ls -la /var 2>&1 || echo "no /var"
+        echo "-- /var/empty (before) --"; /bin/ls -lad /var/empty 2>&1 || echo "MISSING /var/empty"
+        echo "-- /etc/passwd --";          /bin/cat /etc/passwd 2>&1 || true
+        echo "-- /etc/ssh --";             /bin/ls -la /etc/ssh /etc/ssh/authorized_keys.d 2>&1 || true
+        echo "-- authorized_keys.d/root --"; /bin/cat /etc/ssh/authorized_keys.d/root 2>&1 || echo "MISSING"
+        echo "-- host keys --"
+        for k in ${toString cfg.sshHostKeys}; do
+          /bin/ls -la "$k" 2>&1 || echo "MISSING host key: $k"
+        done
+        echo "===== luks-unlock-debug END ====="
+      '';
+    };
+
     # Tor hidden service for remote unlock over onion
     boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock {
       "/etc/tor/onion/bootup" = cfg.onionConfig;