copy over ssh host keys

nixos-kexec-installer preserves SSH host keys, so should we, to avoid
changing host identity.

See also
- https://github.com/nix-community/nixos-images/blob/c4c73bce65306a1e747684dd0d4bcf0ab2779585/nix/kexec-installer/kexec-run.sh#L42C1-L46C1
- https://github.com/nix-community/nixos-images/blob/c4c73bce65306a1e747684dd0d4bcf0ab2779585/nix/installer.nix#L44-L55

src/nixos-anywhere.sh

@@ -29,6 +29,8 @@ Options:
   use another kexec tarball to bootstrap NixOS
 * --post-kexec-ssh-port <ssh_port>
   after kexec is executed, use a custom ssh port to connect. Defaults to 22
+* --no-copy-host-keys
+  do not copy over existing /etc/ssh/ssh_host_* host keys to the installation
 * --stop-after-disko
   exit after disko formatting, you can then proceed to install manually or some other way
 * --extra-files <file...>
@@ -119,6 +121,10 @@ while [[ $# -gt 0 ]]; do
     post_kexec_ssh_port=$2
     shift
     ;;
+  --no-copy-host-keys)
+    no_copy_host_keys=y
+    shift
+    ;;
   --debug)
     enable_debug="-x"
     print_build_logs=y
@@ -450,13 +456,22 @@ fi
 
 step Installing NixOS
 ssh_ bash <<SSH
-set -efu ${enable_debug}
+set -eu ${enable_debug}
 # when running not in nixos we might miss this directory, but it's needed in the nixos chroot during installation
-export PATH=\$PATH:/run/current-system/sw/bin 
+export PATH="\$PATH:/run/current-system/sw/bin"
 
 # needed for installation if initrd-secrets are used
 mkdir -p /mnt/tmp
 chmod 777 /mnt/tmp
+if [[ ${no_copy_host_keys-n} == "n" ]]; then
+  # NB nixos-kexec-installer preserves host keys, so do we. Run before install
+  # since tools like nix-sops need secrets for activation.
+  mkdir -m 755 -p /mnt/etc/ssh
+  for p in /etc/ssh/ssh_host_*; do
+    test -e "\$p" || continue
+    cp -a "\$p" /mnt/etc/ssh
+  done
+fi
 nixos-install --no-root-passwd --no-channel-copy --system "$nixos_system"
 if command -v zpool >/dev/null; then
   zpool export -a || : # we always want to export the zfs pools so people can boot from it without force import