diff --git a/nixos/modules/profiles/cloud.nix b/nixos/modules/profiles/cloud.nix
new file mode 100644
index 0000000..39e5bf1
--- /dev/null
+++ b/nixos/modules/profiles/cloud.nix
@@ -0,0 +1,34 @@
+{ config, lib, ... }:
+let
+  secretsPath = config.dadada.secrets.path;
+  initrdHostKey = "${config.networking.hostName}-ssh_host_ed25519_key";
+in
+{
+  boot.initrd.availableKernelModules = [ "virtio-pci" ];
+  boot.initrd.network = {
+    enable = true;
+    ssh = {
+      enable = true;
+      port = 43235;
+      hostKeys = [
+        age.secrets."${initrdHostKey}"
+      ];
+      authorizedKeys = with lib;
+        concatLists (mapAttrsToList
+          (name: user:
+            if elem "wheel" user.extraGroups then
+              user.openssh.authorizedKeys.keys
+            else
+              [ ])
+          config.users.users);
+    };
+    postCommands = ''
+      echo 'cryptsetup-askpass' >> /root/.profile
+    '';
+  };
+
+  age.secrets."${initrdHostKey}" = {
+    file = "${secretsPath}/${initrdHostKey}";
+    mode = "600";
+  };
+}
diff --git a/nixos/modules/profiles/server.nix b/nixos/modules/profiles/server.nix
index 2bb73ec..31086f2 100644
--- a/nixos/modules/profiles/server.nix
+++ b/nixos/modules/profiles/server.nix
@@ -26,7 +26,7 @@ with lib; {
   system.autoUpgrade = {
     enable = true;
     flake = "github:dadada/nix-config#${config.networking.hostName}";
-    allowReboot = true;
+    allowReboot = mkDefault true;
     randomizedDelaySec = "45min";
   };
 
diff --git a/nixos/surgat/configuration.nix b/nixos/surgat/configuration.nix
index f80b215..4e73860 100644
--- a/nixos/surgat/configuration.nix
+++ b/nixos/surgat/configuration.nix
@@ -113,5 +113,7 @@ in
     ];
   };
 
+  system.autoUpgrade.allowReboot = false;
+
   system.stateVersion = "20.09";
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3fd977e..1ff2383 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -19,6 +19,7 @@ in
   "hydra-github-authorization.age".publicKeys = [ systems.pruflas dadada ];
   "miniflux-admin-credentials.age".publicKeys = [ systems.surgat dadada ];
   "gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ];
+  "surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
 } //
 backupSecrets "gorgon" //
 backupSecrets "ifrit" //
diff --git a/secrets/surgat-ssh_host_ed25519_key.age b/secrets/surgat-ssh_host_ed25519_key.age
new file mode 100644
index 0000000..48860ab
Binary files /dev/null and b/secrets/surgat-ssh_host_ed25519_key.age differ