Fix initramfs SSH and Clevis compatibility issues

- Replace tinyssh with dropbear for better AlmaLinux compatibility
- Create custom dracut module for dropbear SSH access
- Fix clevis-luks-askpass.path for AlmaLinux 8.7+ (not needed)
- Fix dotfiles installation basename error
- Remove duplicate epel-release installation
- Update README to reflect dropbear on port 22

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

post-install.sh

@@ -87,9 +87,16 @@ su - ${ALMA_USER} -c 'export RUNZSH=no CHSH=no KEEP_ZSHRC=yes && bash -c "$(wget
 # Clone powerlevel10k theme
 su - ${ALMA_USER} -c 'git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ~/.oh-my-zsh/custom/themes/powerlevel10k' 2>/dev/null || echo "WARNING: powerlevel10k installation failed"
 
-# Install dotfiles from git repo
+# Install dotfiles from git repo (cloning needed as we're in chroot)
 echo "[+] Installing dotfiles..."
-su - ${ALMA_USER} -c 'cd && git clone https://git.dominik-roth.eu/dodox/nullpoint.git /tmp/nullpoint-dotfiles && cp /tmp/nullpoint-dotfiles/dotfiles/.* . 2>/dev/null || true && rm -rf /tmp/nullpoint-dotfiles' || echo "WARNING: dotfiles installation failed"
+su - ${ALMA_USER} -c '
+    cd && 
+    git clone https://git.dominik-roth.eu/dodox/nullpoint.git /tmp/nullpoint-dotfiles && 
+    for file in /tmp/nullpoint-dotfiles/dotfiles/.*; do
+        [ -f "$file" ] && cp "$file" . 2>/dev/null || true
+    done &&
+    rm -rf /tmp/nullpoint-dotfiles
+' || echo "WARNING: dotfiles installation failed"
 
 # Set up MOTD
 if [ "$ENABLE_MOTD" = true ]; then
@@ -107,9 +114,9 @@ dnf install -y \
   tree gcc make autoconf automake tar bzip2 || exit 1
 
 
-# Install dropbear and dracut-sshd for early boot SSH
-echo "[+] Installing dropbear and dracut-sshd..."
-dnf install -y dropbear dracut-network dracut-sshd || exit 1
+# Install dropbear for early boot SSH
+echo "[+] Installing dropbear for early boot SSH..."
+dnf install -y dropbear dracut-network || exit 1
 
 # Install lsd and bat
 echo "[+] Installing lsd and bat..."
@@ -190,36 +197,107 @@ fi
 # Configure dropbear for remote unlock
 echo "[+] Configuring dropbear SSH for remote unlock..."
 
-# Setup dropbear directory
-mkdir -p /etc/dropbear
+# Create custom dracut module for dropbear SSH
+mkdir -p /usr/lib/dracut/modules.d/60dropbear-ssh
 
-# Add SSH key for initramfs access
-echo "${SSH_KEY}" > /etc/dropbear/initramfs.authorized_keys
-chmod 600 /etc/dropbear/initramfs.authorized_keys
-
-# Configure dracut to include dropbear
-cat > /etc/dracut.conf.d/99-dropbear-sshd.conf << 'EOF'
-# Enable network and SSH in initramfs
-add_dracutmodules+=" network sshd "
-# Ensure we wait for network
-rd_neednet=1
-EOF
-
-# Create a helper script for LUKS unlocking
-cat > /usr/local/bin/cryptroot-unlock << 'EOF'
+# Create the module setup script
+cat > /usr/lib/dracut/modules.d/60dropbear-ssh/module-setup.sh << 'EOF'
 #!/bin/bash
-echo "Starting LUKS unlock process..."
-echo "Available LUKS devices:"
-ls /dev/mapper/luks-* 2>/dev/null || echo "No LUKS devices found yet"
-echo ""
-echo "Triggering password prompts..."
-systemd-tty-ask-password-agent
-EOF
-chmod +x /usr/local/bin/cryptroot-unlock
 
-# Ensure the helper script is available in initramfs
-cat >> /etc/dracut.conf.d/99-dropbear-sshd.conf << 'EOF'
-install_items+=" /usr/local/bin/cryptroot-unlock "
+check() {
+    require_binaries dropbear dbclient dropbearkey dropbearconvert || return 1
+    return 0
+}
+
+depends() {
+    echo network
+}
+
+install() {
+    inst_multiple dropbear dbclient dropbearkey dropbearconvert
+    
+    # Create directories
+    inst_dir /etc/dropbear
+    inst_dir /var/log
+    inst_dir /root/.ssh
+    
+    # Copy authorized keys if they exist
+    if [ -f /etc/dropbear/authorized_keys ]; then
+        inst /etc/dropbear/authorized_keys /root/.ssh/authorized_keys
+    fi
+    
+    # Generate host keys if they don't exist
+    for keytype in rsa ecdsa ed25519; do
+        keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
+        if [ ! -f "$keyfile" ]; then
+            dropbearkey -t $keytype -f "$keyfile" 2>/dev/null
+        fi
+        [ -f "$keyfile" ] && inst "$keyfile"
+    done
+    
+    # Install the service
+    inst_simple "$moddir/dropbear.service" /etc/systemd/system/dropbear.service
+    systemctl -q --root "$initdir" enable dropbear.service
+    
+    # Install unlock helper
+    inst_simple "$moddir/unlock-luks.sh" /usr/bin/unlock-luks
+    chmod 755 "$initdir/usr/bin/unlock-luks"
+}
+EOF
+
+# Create systemd service for dropbear
+cat > /usr/lib/dracut/modules.d/60dropbear-ssh/dropbear.service << 'EOF'
+[Unit]
+Description=Dropbear SSH Server
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/dropbear -R -E -p 22
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=sysinit.target
+EOF
+
+# Create unlock helper script
+cat > /usr/lib/dracut/modules.d/60dropbear-ssh/unlock-luks.sh << 'EOF'
+#!/bin/bash
+echo "=== LUKS Remote Unlock Helper ==="
+echo ""
+echo "Available block devices:"
+lsblk -o NAME,SIZE,TYPE,FSTYPE
+echo ""
+echo "Encrypted devices waiting for unlock:"
+systemd-ask-password --list
+echo ""
+echo "To unlock, run: systemd-tty-ask-password-agent"
+echo ""
+exec systemd-tty-ask-password-agent
+EOF
+
+chmod +x /usr/lib/dracut/modules.d/60dropbear-ssh/*.sh
+
+# Setup dropbear authorized keys
+mkdir -p /etc/dropbear
+echo "${SSH_KEY}" > /etc/dropbear/authorized_keys
+chmod 600 /etc/dropbear/authorized_keys
+
+# Generate host keys
+for keytype in rsa ecdsa ed25519; do
+    keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
+    [ ! -f "$keyfile" ] && dropbearkey -t $keytype -f "$keyfile"
+done
+
+# Configure dracut
+cat > /etc/dracut.conf.d/60-dropbear-ssh.conf << 'EOF'
+# Enable network and dropbear SSH
+add_dracutmodules+=" network dropbear-ssh "
+# Network configuration
+kernel_cmdline="rd.neednet=1"
 EOF
 
 # Regenerate initramfs