diff --git a/hosts/common/ssh.nix b/hosts/common/ssh.nix
index 1f52815a..0e3edefc 100644
--- a/hosts/common/ssh.nix
+++ b/hosts/common/ssh.nix
@@ -1,13 +1,17 @@
 { config, lib,  sane-lib, ... }:
 
 let
-  keysForHost = hostName: let
-    hostCfg = config.sane.hosts.by-name."${hostName}";
-  in {
-    "root@${hostName}" = hostCfg.ssh.host_pubkey;
-    "colin@${hostName}" = lib.mkIf (hostCfg.ssh.user_pubkey != null && hostCfg.ssh.authorized) hostCfg.ssh.user_pubkey;
-  };
-  hostKeys = builtins.map keysForHost (builtins.attrNames config.sane.hosts.by-name);
+  hostKeys = lib.mapAttrsToList
+    (hostName: hostCfg:
+      # generate `root@servo`, `colin@servo`, `root@servo-hn`, `colin@servo-hn`, ... as a single attrset:
+      lib.foldl' (acc: alias: acc // {
+        "root@${alias}" = hostCfg.ssh.host_pubkey;
+        "colin@${alias}" = lib.mkIf (hostCfg.ssh.user_pubkey != null && hostCfg.ssh.authorized) hostCfg.ssh.user_pubkey;
+      })
+      {}
+      hostCfg.names
+    )
+    config.sane.hosts.by-name;
 in
 {
   sane.ssh.pubkeys = lib.mkMerge (hostKeys ++ [