diff --git a/modules/impermanence.nix b/modules/impermanence.nix
index fd462990..b5d7b483 100644
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@@ -71,17 +71,7 @@ in
         #
         # servo additions:
       ] ++ cfg.service-dirs);
-      files = [
-        "/etc/machine-id"
-        "/etc/ssh/ssh_host_ed25519_key"
-        "/etc/ssh/ssh_host_ed25519_key.pub"
-        "/etc/ssh/ssh_host_rsa_key"
-        "/etc/ssh/ssh_host_rsa_key.pub"
-        # # XXX these only need persistence because i have mutableUsers = true, i think
-        # "/etc/group"
-        # "/etc/passwd"
-        # "/etc/shadow"
-      ];
+      files = [ "/etc/machine-id" ];
     };
 
     # secret decoding depends on /etc/ssh keys, which are persisted
@@ -93,15 +83,14 @@ in
     # but it's a decent safety net in case something goes wrong.
     # system.activationScripts.setupSecretsForUsers.deps = [ "persist-files" ];
     system.activationScripts.setupSecretsForUsers= lib.mkIf secretsForUsers {
-      deps = [ "persist-ssh-host-key" ];
+      deps = [ "persist-ssh-host-keys" ];
     };
-    system.activationScripts.persist-ssh-host-key = lib.mkIf secretsForUsers (
+    system.activationScripts.persist-ssh-host-keys = lib.mkIf secretsForUsers (
       let
-        key = "/etc/ssh/ssh_host_ed25519_key";
+        key_dir = "/etc/ssh/host_keys";
       in ''
-        mkdir -p /etc/ssh
-        touch ${key}
-        mount -o bind /nix/persist${key} ${key}
+        mkdir -p ${key_dir}
+        mount -o bind /nix/persist${key_dir} ${key_dir}
       ''
     );
   };
diff --git a/modules/universal/default.nix b/modules/universal/default.nix
index ca2ea615..eba5d4c7 100644
--- a/modules/universal/default.nix
+++ b/modules/universal/default.nix
@@ -8,6 +8,7 @@
     ./home-packages.nix
     ./net.nix
     ./secrets.nix
+    ./ssh.nix
     ./system-packages.nix
     ./users.nix
     ./vpn.nix
diff --git a/modules/universal/secrets.nix b/modules/universal/secrets.nix
index b618c117..306deabe 100644
--- a/modules/universal/secrets.nix
+++ b/modules/universal/secrets.nix
@@ -35,7 +35,7 @@
   sops.defaultSopsFile = ./../../secrets/universal.yaml;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = [
-    "/etc/ssh/ssh_host_ed25519_key"
+    "/etc/ssh/host_keys/ssh_host_ed25519_key"
   ];
   sops.gnupg.sshKeyPaths = [];  # disable RSA key import
   # This is using an age key that is expected to already be in the filesystem
diff --git a/modules/universal/ssh.nix b/modules/universal/ssh.nix
new file mode 100644
index 00000000..71a625ec
--- /dev/null
+++ b/modules/universal/ssh.nix
@@ -0,0 +1,11 @@
+{ ... }:
+{
+  # we place the host keys (which we want to be persisted) into their own directory to ease that.
+  # otherwise, this is identical to nixos defaults
+  sane.impermanence.service-dirs = [ "/etc/ssh/host_keys" ];
+
+  services.openssh.hostKeys = [
+    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
+    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
+  ];
+}