diff --git a/hosts/common/ssh.nix b/hosts/common/ssh.nix
index 9924e8e4..52223926 100644
--- a/hosts/common/ssh.nix
+++ b/hosts/common/ssh.nix
@@ -1,7 +1,7 @@
 { config, lib, sane-data, sane-lib, ... }:
 
 let
-  inherit (builtins) head map mapAttrs tail;
+  inherit (builtins) attrValues head map mapAttrs tail;
   inherit (lib) concatStringsSep mkMerge reverseList;
 in
 {
@@ -18,11 +18,21 @@ in
 
     # [{ path :: [String], value :: String }] for the keys we want to install
     globalKeys = sane-lib.flattenAttrs sane-data.keys;
+
+    keysForHost = hostCfg: sane-lib.mapToAttrs
+      (name: {
+        inherit name;
+        value = {
+          colin = hostCfg.ssh.user_pubkey;
+          root = hostCfg.ssh.host_pubkey;
+        };
+      })
+      hostCfg.names
+    ;
     domainKeys = sane-lib.flattenAttrs (
-      mapAttrs (host: cfg: {
-        colin = cfg.ssh.user_pubkey;
-        root = cfg.ssh.host_pubkey;
-      }) config.sane.hosts.by-name
+      sane-lib.joinAttrsets (
+        map keysForHost (builtins.attrValues config.sane.hosts.by-name)
+      )
     );
   in mkMerge (map
     ({ path, value }: {
diff --git a/hosts/modules/hostnames.nix b/hosts/modules/hostnames.nix
index 0d147a4d..46d80946 100644
--- a/hosts/modules/hostnames.nix
+++ b/hosts/modules/hostnames.nix
@@ -11,6 +11,7 @@
       name = cfg.lan-ip;
       value = [ host ];
     }) config.sane.hosts.by-name)
+
     (lib.mapAttrs' (host: cfg: {
       # -hn suffixed name for communication over my wg-home VPN.
       # hn = "home network"
diff --git a/hosts/modules/hosts.nix b/hosts/modules/hosts.nix
index c1085686..bdb40b81 100644
--- a/hosts/modules/hosts.nix
+++ b/hosts/modules/hosts.nix
@@ -4,8 +4,14 @@ let
   inherit (lib) attrValues filterAttrs mkMerge mkOption types;
   cfg = config.sane.hosts;
 
-  host = types.submodule ({ config, ... }: {
+  host = types.submodule ({ config, name, ... }: {
     options = {
+      names = mkOption {
+        type = types.listOf types.str;
+        description = ''
+          all names by which this host is reachable
+        '';
+      };
       ssh.user_pubkey = mkOption {
         type = types.str;
         description = ''
@@ -48,6 +54,11 @@ let
         '';
       };
     };
+
+    config = {
+      names = [ name ]
+        ++ lib.optional (config.wg-home.ip != null) "${name}-hn";
+    };
   });
 in
 {