diff --git a/nixos/modules/profiles/cloud.nix b/nixos/modules/profiles/cloud.nix
index 86e2c74..ba131e1 100644
--- a/nixos/modules/profiles/cloud.nix
+++ b/nixos/modules/profiles/cloud.nix
@@ -1,10 +1,18 @@
 { config, lib, ... }:
 let
   secretsPath = config.dadada.secrets.path;
-  initrdHostKey = "${config.networking.hostName}-initrd-ssh_host_ed25519_key";
+  initrdHostKey = "${config.networking.hostName}-ssh_host_ed25519_key";
 in
 {
   boot.initrd.availableKernelModules = [ "virtio-pci" ];
+
+  boot.kernelParams = [
+    # Wait forever for the filesystem root to show up
+    "rootflags=x-systemd.device-timeout=0"
+
+    # Wait forever to enter the LUKS passphrase via SSH
+    "rd.luks.options=timeout=0"
+  ];
   boot.initrd.network = {
     enable = true;
     ssh = {
@@ -27,8 +35,13 @@ in
     '';
   };
 
+  assertions = lib.singleton {
+    assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true;
+    message = "Refusing to store private keys in store";
+  };
+
   age.secrets."${initrdHostKey}" = {
-    file = "${secretsPath}/${initrdHostKey}.age";
+    file = "${secretsPath}/initrd-${initrdHostKey}.age";
     mode = "600";
     path = "/etc/initrd/${initrdHostKey}";
     symlink = false;
diff --git a/nixos/surgat/configuration.nix b/nixos/surgat/configuration.nix
index 6dad1ee..f2c7ba2 100644
--- a/nixos/surgat/configuration.nix
+++ b/nixos/surgat/configuration.nix
@@ -137,6 +137,10 @@ in
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
 
+  boot.kernelParams = [
+    "ip=49.12.3.98::172.31.1.1:255.255.255.255:surgat::dhcp"
+  ];
+
   services.resolved = {
     enable = true;
     fallbackDns = [ "9.9.9.9" "2620:fe::fe" ];
diff --git a/secrets/surgat-initrd-ssh_host_ed25519_key.age b/secrets/initrd-surgat-ssh_host_ed25519_key.age
similarity index 100%
rename from secrets/surgat-initrd-ssh_host_ed25519_key.age
rename to secrets/initrd-surgat-ssh_host_ed25519_key.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index d1a5265..946d855 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -21,7 +21,7 @@ in
   "miniflux-admin-credentials.age".publicKeys = [ systems.surgat dadada ];
   "gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ];
   "paperless.age".publicKeys = [ systems.gorgon dadada ];
-  "surgat-initrd-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
+  "initrd-surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
   "surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
   "ninurta-initrd-ssh-key.age".publicKeys = [ systems.ninurta dadada ];
   "ddns-credentials.age".publicKeys = [ systems.agares systems.ninurta dadada ];