diff --git a/modules/impermanence.nix b/modules/impermanence.nix
index 85a1d93b..d2d85855 100644
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -41,7 +41,7 @@ in
     sane.image.extraDirectories = [ "/nix/persist/var/log" ];
     environment.persistence."/nix/persist" = {
       directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
-        # TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
+        # NB: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
         # { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
         # "/etc/nixos"
         # "/etc/ssh"  # persist only the specific files we want, instead
@@ -71,7 +71,15 @@ in
         #
         # servo additions:
       ] ++ cfg.service-dirs);
-      files = [ "/etc/machine-id" ];
+      # /etc/machine-id is a globally unique identifier used for:
+      # - systemd-networkd: DHCP lease renewal (instead of keying by the MAC address)
+      # - systemd-journald: to filter logs by host
+      # - chromium (potentially to track re-installations)
+      # - gdbus; system services that might upgrade to AF_LOCAL if both services can confirm they're on the same machine
+      # of these, systemd-networkd is the only legitimate case to persist the machine-id.
+      # depersisting it should be "safe"; edge-cases like systemd-networkd can be directed to use some other ID if necessary.
+      # nixos-impermanence shows binding the host ssh priv key to this; i could probably hash the host key into /etc/machine-id if necessary.
+      # files = [ "/etc/machine-id" ];
     };
 
     # secret decoding depends on /etc/ssh keys, which may be persisted
diff --git a/modules/universal/default.nix b/modules/universal/default.nix
index eba5d4c7..55684ff4 100644
--- a/modules/universal/default.nix
+++ b/modules/universal/default.nix
@@ -7,6 +7,7 @@
     ./home-manager
     ./home-packages.nix
     ./net.nix
+    ./machine-id.nix
     ./secrets.nix
     ./ssh.nix
     ./system-packages.nix
diff --git a/modules/universal/machine-id.nix b/modules/universal/machine-id.nix
new file mode 100644
index 00000000..08cf8eab
--- /dev/null
+++ b/modules/universal/machine-id.nix
@@ -0,0 +1,11 @@
+{ ... }:
+{
+  # we wan't an /etc/machine-id which is consistent across boot so that `journalctl` will actually show us
+  # logs from previous boots.
+  # maybe there's a config option for this (since persistent machine-id is bad for reasons listed in impermanence.nix),
+  # but for now generate it from ssh keys.
+  system.activationScripts.machine-id = {
+    deps = [ "persist-ssh-host-keys" ];
+    text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
+  };
+}