diff --git a/config/hosts/lambda.nix b/config/hosts/lambda.nix
index e866bcb..7666888 100644
--- a/config/hosts/lambda.nix
+++ b/config/hosts/lambda.nix
@@ -14,6 +14,10 @@
   profile = "server";
   # ssh-pubkey =
   #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPB5JY6jnHCRLxjqWKYkK8Xpmfyq2nA+0noPazYGd9a+";
+  master-key = {
+    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOBr+kFxYjFp/BoaKT2SPV7aVTEspY/7bQ5RycElczGg";
+    key-path = "/state/master-key/key";
+  };
   enable-gui = false;
   arch = "x86_64-linux";
   nixos-system = true;
diff --git a/config/hosts/limina.nix b/config/hosts/limina.nix
index 2d8a81f..7c2a2ba 100644
--- a/config/hosts/limina.nix
+++ b/config/hosts/limina.nix
@@ -17,4 +17,8 @@
   arch = "x86_64-linux";
   nixos-system = true;
   machine-id = "0a1d961dbcc04037ab7938f15801c765";
+  master-key = {
+    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA44EqP6HHjIPBFuxKvi2oZc1sNU+N4pNMtlS89KWuDm";
+    key-path = "/state/master-key/key";
+  };
 }
diff --git a/config/hosts/nostromo.nix b/config/hosts/nostromo.nix
index 9725ab6..6d6164a 100644
--- a/config/hosts/nostromo.nix
+++ b/config/hosts/nostromo.nix
@@ -17,4 +17,8 @@
   arch = "x86_64-linux";
   nixos-system = true;
   machine-id = "709076ea18254f8f9097c4e54dde5ab3";
+  master-key = {
+    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODtNR4b43ZJgyGo9Hc+CmC4+bzgxbsVYI9fhDqjyRSo";
+    key-path = "/state/master-key/key";
+  };
 }
diff --git a/config/hosts/plato.nix b/config/hosts/plato.nix
index 3f5c4a0..718e040 100644
--- a/config/hosts/plato.nix
+++ b/config/hosts/plato.nix
@@ -20,4 +20,8 @@
   arch = "x86_64-linux";
   nixos-system = true;
   machine-id = "988f39a3b6ab454e9d7dad65bfe36bbe";
+  master-key = {
+    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgAzn6gyG1ze7L1WLU84poPGcoUntqfvgn+/s3bxhR2";
+    key-path = "/state/master-key/key";
+  };
 }
diff --git a/config/hosts/socrates.nix b/config/hosts/socrates.nix
index 30c89f9..7ff7663 100644
--- a/config/hosts/socrates.nix
+++ b/config/hosts/socrates.nix
@@ -17,4 +17,8 @@
   arch = "x86_64-linux";
   nixos-system = true;
   machine-id = "edc4baa9cc1c401dba1bf870725b4bf0";
+  master-key = {
+    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmJJFbAV8P1V1LSZr56GJ5ul3LBgdapbh+MK3ixTsxf";
+    key-path = "/state/master-key/key";
+  };
 }
diff --git a/config/hosts/spark.nix b/config/hosts/spark.nix
index f4085dd..9558ab6 100644
--- a/config/hosts/spark.nix
+++ b/config/hosts/spark.nix
@@ -18,4 +18,8 @@
   arch = "x86_64-linux";
   nixos-system = true;
   machine-id = "63dbd567d55a468482aa15d8aa9097f6";
+  master-key = {
+    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGs8MfR3d6f1Llqk5dn/ypODUT1Oi4SQGof/YvOPNf14";
+    key-path = "/state/master-key/key";
+  };
 }
diff --git a/config/hosts/system3.nix b/config/hosts/system3.nix
index a261d1c..2a915c8 100644
--- a/config/hosts/system3.nix
+++ b/config/hosts/system3.nix
@@ -18,4 +18,8 @@
   arch = "x86_64-linux";
   nixos-system = true;
   machine-id = "39ebe622cf40413b950d832105e0bb2e";
+  master-key = {
+    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaF5T7Pb613C31BJVj74WYx4Pytj/lmH+PqjkqoNNkQ";
+    key-path = "/state/master-key/key";
+  };
 }
diff --git a/config/hosts/zbox.nix b/config/hosts/zbox.nix
index ad02a5c..806dc7e 100644
--- a/config/hosts/zbox.nix
+++ b/config/hosts/zbox.nix
@@ -18,4 +18,8 @@
   arch = "x86_64-linux";
   nixos-system = true;
   machine-id = "e5f456e3183a4dc186181a70bc3af2d1";
+  master-key = {
+    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDsn68vDKV4jnBuICSDX/2Gpnshbrz0r9t4lXIke1vqh";
+    key-path = "/state/master-key/key";
+  };
 }
diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix
index 3bc03b3..aed02d3 100644
--- a/lib/fudo/hosts.nix
+++ b/lib/fudo/hosts.nix
@@ -286,7 +286,7 @@ in {
 
       build-private-key-file =
         if (hasAttr hostname config.fudo.secrets.files.build-keypairs) then
-          config.fudo.secrets.files.build-keypairs.${hostname}
+          config.fudo.secrets.files.build-keypairs.${hostname}.private-key
         else null;
     in {
       host-keytab = mkIf (keytab-file != null) {
diff --git a/lib/fudo/ssh.nix b/lib/fudo/ssh.nix
index 0c07824..11f6f55 100644
--- a/lib/fudo/ssh.nix
+++ b/lib/fudo/ssh.nix
@@ -27,6 +27,8 @@ let
     '';
   };
 
+  host-cfg = config.fudo.hosts.${hostname};
+
 in {
   config = {
     fudo = {
@@ -65,15 +67,15 @@ in {
       crossProduct = f: list0: list1:
         concatMap (el0: map (el1: f el0 el1) list1) list0;
 
-      all-hostnames = opts:
-        [ opts.hostname ] ++
+      all-hostnames = hostname: opts:
+        [ hostname ] ++
         (crossProduct (host: domain: "${host}.${domain}")
-          ([ opts.hostname ] ++ opts.aliases)
+          ([ hostname ] ++ opts.aliases)
           ([ opts.domain ] ++ opts.extra-domains));
 
     in mapAttrs (hostname: hostOpts: {
       publicKeyFile = builtins.head hostOpts.ssh-pubkeys;
-      hostNames = all-hostnames host-cfg;
+      hostNames = all-hostnames hostname host-cfg;
     }) keyed-hosts;
   };
 }
diff --git a/nix-home b/nix-home
index dcab432..3f509d0 160000
--- a/nix-home
+++ b/nix-home
@@ -1 +1 @@
-Subproject commit dcab43275a732e9a3e3c66c9a92132b4290838d3
+Subproject commit 3f509d08290003c27c51049a8f04e076a79570b7