2 files changed, 10 insertions, 6 deletions

diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix
index 60298362d767..4c3d30e346c5 100644
--- a/nixos/modules/system/activation/activation-script.nix
+++ b/nixos/modules/system/activation/activation-script.nix
@@ -142,10 +142,10 @@ in
         # Empty, immutable home directory of many system accounts.
         mkdir -p /var/empty
         # Make sure it's really empty
-        ${pkgs.e2fsprogs}/bin/chattr -i /var/empty
+        ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true
         find /var/empty -mindepth 1 -delete
         chmod 0555 /var/empty
-        ${pkgs.e2fsprogs}/bin/chattr +i /var/empty
+        ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
       '';
 
     system.activationScripts.usrbinenv = if config.environment.usrbinenv != null
diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix
index bc899984c57d..a8c7d4b3ee5e 100644
--- a/nixos/modules/system/boot/initrd-ssh.nix
+++ b/nixos/modules/system/boot/initrd-ssh.nix
@@ -85,10 +85,14 @@ in
   };
 
   config = mkIf (config.boot.initrd.network.enable && cfg.enable) {
-    assertions = [ {
-      assertion = cfg.hostRSAKey != null || cfg.hostDSSKey != null || cfg.hostECDSAKey != null;
-      message = "You should specify at least one host key for initrd SSH";
-    } ];
+    assertions = [
+      { assertion = cfg.hostRSAKey != null || cfg.hostDSSKey != null || cfg.hostECDSAKey != null;
+        message = "You should specify at least one host key for initrd SSH";
+      }
+      { assertion = cfg.authorizedKeys != [];
+        message = "You should specify at least one authorized key for initrd SSH";
+      }
+    ];
 
     boot.initrd.extraUtilsCommands = ''
       copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear