diff --git a/modules/impermanence.nix b/modules/impermanence.nix
index 6c2c06b4f..85a1d93b9 100644
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -74,15 +74,13 @@ in
       files = [ "/etc/machine-id" ];
     };
 
-    # secret decoding depends on /etc/ssh keys, which are persisted
+    # secret decoding depends on /etc/ssh keys, which may be persisted
     system.activationScripts.setupSecrets.deps = [ "persist-ssh-host-keys" ];
     system.activationScripts.setupSecretsForUsers = lib.mkIf secretsForUsers {
       deps = [ "persist-ssh-host-keys" ];
     };
-    system.activationScripts.persist-ssh-host-keys = {
-      text = "mount /etc/ssh/host_keys";
-      deps = [ "createPersistentStorageDirs" ];  # provided by impermanence; ensures both mount endpoints exist
-    };
+    # populated by ssh.nix, which persists /etc/ssh/host_keys
+    system.activationScripts.persist-ssh-host-keys.text = lib.mkDefault "";
   };
 }
 
diff --git a/modules/universal/ssh.nix b/modules/universal/ssh.nix
index 71a625ecd..10c8d4eef 100644
--- a/modules/universal/ssh.nix
+++ b/modules/universal/ssh.nix
@@ -1,9 +1,19 @@
 { ... }:
 {
-  # we place the host keys (which we want to be persisted) into their own directory to ease that.
+  # we place the host keys (which we want to be persisted) into their own directory so that we can
+  # bind mount that whole directory instead of doing it per-file.
   # otherwise, this is identical to nixos defaults
   sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
 
+  # we can't naively `mount /etc/ssh/host_keys` directly,
+  # as /etc/fstab may not be populated yet (since that file depends on e.g. activationScripts.users)
+  # we can't even depend on impermanence's `createPersistentStorageDirs` to create the source/target directories
+  # since that also depends on `users`.
+  system.activationScripts.persist-ssh-host-keys.text = ''
+    mkdir -p /etc/ssh/host_keys
+    mount --bind /nix/persist/etc/ssh/host_keys /etc/ssh/host_keys
+  '';
+
   services.openssh.hostKeys = [
     { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
     { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }