diff --git a/hosts/by-name/rescue/default.nix b/hosts/by-name/rescue/default.nix
index cc50425e..65bc949e 100644
--- a/hosts/by-name/rescue/default.nix
+++ b/hosts/by-name/rescue/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
 {
   imports = [
     ./fs.nix
@@ -7,7 +7,7 @@
   boot.loader.generic-extlinux-compatible.enable = true;
   boot.loader.efi.canTouchEfiVariables = false;
   sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
-  sane.persist.enable = false;
+  # sane.persist.enable = false;  # TODO: disable (but run `nix flake check` to ensure it works!)
   sane.nixcache.enable = false;  # don't want to be calling out to dead machines that we're *trying* to rescue
 
   # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
diff --git a/hosts/common/home/ssh.nix b/hosts/common/home/ssh.nix
index 97adf744..4e19967c 100644
--- a/hosts/common/home/ssh.nix
+++ b/hosts/common/home/ssh.nix
@@ -3,7 +3,8 @@
 with lib;
 let
   host = config.networking.hostName;
-  user-pubkey = config.sane.ssh.pubkeys."colin@${host}".asUserKey;
+  user-pubkey-full = config.sane.ssh.pubkeys."colin@${host}" or {};
+  user-pubkey = user-pubkey-full.asUserKey or null;
   host-keys = filter (k: k.user == "root") (attrValues config.sane.ssh.pubkeys);
   known-hosts-text = concatStringsSep
     "\n"
@@ -13,7 +14,8 @@ in
 {
   # ssh key is stored in private storage
   sane.user.persist.private = [ ".ssh/id_ed25519" ];
-  sane.user.fs.".ssh/id_ed25519.pub" = sane-lib.fs.wantedText user-pubkey;
+  sane.user.fs.".ssh/id_ed25519.pub" =
+    mkIf (user-pubkey != null) (sane-lib.fs.wantedText user-pubkey);
   sane.user.fs.".ssh/known_hosts" = sane-lib.fs.wantedText known-hosts-text;
 
   users.users.colin.openssh.authorizedKeys.keys =