diff --git a/roles/common/configuration.nix b/roles/common/configuration.nix
index ba301c4..c2b45d4 100755
--- a/roles/common/configuration.nix
+++ b/roles/common/configuration.nix
@@ -27,15 +27,32 @@
 			# enter the password A LOT of times. Only on the first setup tho
 			"/tmp/id_ed25519_bootstrap"
 		];
+	# Copy (NOT SYMLINK) host ssh keys into place
+		secrets = {
+			"ed25519" = {
+				symlink = false;
+				file = ../../secrets/${config.networking.hostName}/host-key-ed25519;
+				path = "/etc/ssh/ssh_host_ed25519_key";
+			};
+			"rsa" = {
+				symlink = false;
+				file = ../../secrets/${config.networking.hostName}/host-key-rsa;
+				path= "/etc/ssh/ssh_host_rsa_key";
+			};
+			"ed25519-public" = {
+				symlink = false;
+				file = ../../secrets/${config.networking.hostName}/host-key-ed25519-public;
+				path = "/etc/ssh/ssh_host_ed25519_key.pub";
+				mode = "0644";
+			};
+			"rsa-public" = {
+				symlink = false;
+				file = ../../secrets/${config.networking.hostName}/host-key-rsa-public;
+				path = "/etc/ssh/ssh_host_rsa_key.pub";
+				mode = "0644";
+			};
+		};
 	};
 
-	/*
-	I used to keep the host keys in the repo as a secret, but since I use the
-	host keys for decrypting too I'm not sure encrypting a key with itself
-	is a good idea. Now the host keys will need to be placed manually where they are needed
-	For first time installs they are generated by services.openssh.hostKeys on servers, and
-	manually on everything else
-	*/	
-	
 	system.stateVersion = "23.05";
 }
diff --git a/secrets/Archie/host-key-ed25519 b/secrets/Archie/host-key-ed25519
new file mode 100644
index 0000000..ddd8e91
--- /dev/null
+++ b/secrets/Archie/host-key-ed25519
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 zhSyTg v0zMwf3PyU8i5Z8cKQAM8G/egqkmPONA7twvIsTtFUU
+4BlqeR6PpQrYwf7BT1UXqzaiiNwHAxsbbvX1Sk7YG7M
+-> ssh-ed25519 AuWU1Q m0nCQcYG0Jz8AeouayMRTPiQvZxWDbci88ouaaW1kBE
+FMRP4tDLTQ8wo/9j6AaVhl4/amQAjgZDPKqmtzTwHbI
+-> tR-grease jXU
+zPQZdJy9DQ9MUenFWBk
+--- NY5Z2u04JmXtfy09gfYTziCNqdXfSXQLe3n/e7wburg
+åê
+šKàQoƒa|É—·²ëÞ âÜ.ýƒùhSÞ
+^aÉ¹L)m.	At‘}B¡RüÈ!7ÌJí¿%fÒ#f_/=´ïïÏÞd›:§‡\[ùTýãxÈ”—U³s(†:‘’ÝI¨ãˆ~-¢ºiº”-l!(íÌ®S†G¿»½^öä¹Ù¢ØVŒ¤Ú—ig¾ñ~ò™MDdn–WõqûÃ•b7¼ÃÊÖáñ‘†ôP\÷²CÎ±ˆØü½Iõþë}©ÍmsUè•4="™‚‰1Ï.Ùõ±:aT-Ooyˆ¢%v¥$iBåN—À)s8¿OV(EÇ…ì­¯ôtW•i;n·€Pè7æÝQº‡çó0†Â·„tRúá+W´’1Bdé„T’òTO…W¡f>å”æ6Cß>ö´nTÂ¾ô
+ÈKÙ)åDÍ81ÕilÃß3JPQw¢Õ.w\&6¢Åö¿j ”T:¥8E`,•Ò"ÔìaÒ‚<ÊdK×rc2ä´ƒ<´ÔÞ~¹ù
+h?FŽc
+ÐÎ£Jöüto›D€Æ
\ No newline at end of file
diff --git a/secrets/Archie/host-key-ed25519-public b/secrets/Archie/host-key-ed25519-public
new file mode 100644
index 0000000..91e279e
--- /dev/null
+++ b/secrets/Archie/host-key-ed25519-public
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 zhSyTg Xkk6wPQm3Sm3RuNyKhnKVz/evGJtr0UwhB7m2iuhrR4
+RMheqKeCD+Py22+xmvp3Se1z84t60+6y1Bbt7uYGxFs
+-> ssh-ed25519 AuWU1Q 5l5/vuIGxW+6ZzlDKjLzNCxyiW1+Kh651xpnwjfF3FQ
+ZIx/zZZMPpO8zDW5JdkucIBVH1xK4KtoA7Kovw+bcOU
+-> 7%-grease [ wwEC MxP UF:U6Cy
+Hp7t6AxdTAfm4r/LMWAt22vOYvhfHJLX4BIB7eEUfQnNAPIx43SrK8QIrAGHWbxN
+hdO18C5g6xoE5HHz5uM5ASzUWC4Nws3OXwY
+--- 2kwRA1NakiMhvMQgkaiEiJ93SkjTmOt77m0tO+e/p/w
+Ï ^^ðè”Ià=Õð•ñÏ*Ã='çVå[$-ÄÙÕÊ²}	.’¼²=€&°É­ºl@®l5êÇ×p¯—¯¼™IÈKVèˆN¼‡Œ“‹C¡ÔŽI¥¼š_<³g.…ïÄmf}Oá4(Ñˆûöø¾@Ç;
\ No newline at end of file
diff --git a/secrets/Archie/host-key-rsa b/secrets/Archie/host-key-rsa
new file mode 100644
index 0000000..e323c7a
Binary files /dev/null and b/secrets/Archie/host-key-rsa differ
diff --git a/secrets/Archie/host-key-rsa-public b/secrets/Archie/host-key-rsa-public
new file mode 100644
index 0000000..8bb561d
Binary files /dev/null and b/secrets/Archie/host-key-rsa-public differ
diff --git a/secrets/Everest/host-key-ed25519 b/secrets/Everest/host-key-ed25519
new file mode 100644
index 0000000..0fe034f
Binary files /dev/null and b/secrets/Everest/host-key-ed25519 differ
diff --git a/secrets/Everest/host-key-ed25519-public b/secrets/Everest/host-key-ed25519-public
new file mode 100644
index 0000000..6b23715
--- /dev/null
+++ b/secrets/Everest/host-key-ed25519-public
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 5qrYxA OECuD3X/YhnhNDjXFBsoq+mOQmadIQch2DhcVM2es3g
+Y9tNL/OXgxSrWtvrLDHBnaWGxDoSopQAVoFwx6WiHFE
+-> ssh-ed25519 AuWU1Q RawOBsHa1yGd0Nn3QPaZNlh3Qy5D5TNU0VVc6t7uwmU
+M0OgClrDATN23KARdN8kee/tDSolbdVQwxclOwUlCY8
+-> }|y:w-grease [|V >/-D+*J
+zPzM
+--- st6EavuBsvVd84P9CGhxLpgckxCsYjucYvpMiNS0YVY
+ÈÈÅíà¾wÕÊav\ÏÄÎGÍU.ð„é<8\ÏÍ<Ú‚½>È^=Â„Ÿø’Ïè0[f,£!S0z%/eo48Ååÿ’ò«&Jì¾ÿ‚?ä@‹À©‚žZJ;1/á‚„*/t{Ê¹-dn¶a8.EÇS$Ë–¦:Žþ©
\ No newline at end of file
diff --git a/secrets/Everest/host-key-rsa b/secrets/Everest/host-key-rsa
new file mode 100644
index 0000000..18618b9
Binary files /dev/null and b/secrets/Everest/host-key-rsa differ
diff --git a/secrets/Everest/host-key-rsa-public b/secrets/Everest/host-key-rsa-public
new file mode 100644
index 0000000..cbfbf9f
Binary files /dev/null and b/secrets/Everest/host-key-rsa-public differ
diff --git a/secrets/ddclient-passwd b/secrets/ddclient-passwd
old mode 100644
new mode 100755
index e8dac5e..fb143cb
--- a/secrets/ddclient-passwd
+++ b/secrets/ddclient-passwd
@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 06objA y4bV1ytUwkmt9PbOrVgGT5UvhG122nbW1Uoj4X4G1ko
-iCncwjYew9IxINLtdTBCH1xVwMxlbEUj0+QDbqQo220
--> R520hu&,-grease BU
-r02YR9brHoUAtWXZd1yzrnA1IEymE6EGi+INiYzaU/6ucoMpqD1kTbnNA/XImBw
---- nHrpo/xmcD3yGS8tygN/HL5o4uyFBVJslY7xycLuJ9M
-äÞºÈ®P';25$«Nç}™níhÓ5Hóúû[ØŒØØÀ^ÍÃb_ØœS€¿RIÊXû±×jhíx×$ 
\ No newline at end of file
+-> ssh-ed25519 5qrYxA YZag1cf+LCNznpoLx8wXN0lqaDfcxpP8Axmgt1gyiDo
+DujRQ8hZtv6CyKWmOGK82jFoRkT/72Y1OmWcTb+aiVw
+-> <VqXw-grease /l=NY
+GR5DcmYCCOReyAPxTCuH1GAJ1GA2KccU/Hy/CszPABNVUrP58EGa733eI7nZyqlD
+xooUCOLDwNF+LNA4ctKt+jSB/lLnLJT+chkkrtQ
+--- RdGZN42joziXDu9EHSl00YyASXnPCxFU3tFk5QjQnNU
+€®diPÃvÀ|öm7Ú,gP ÃÜ_nª ´>ú–tRõ{…rv:IÚ“¶`Ëè¤%-×•Èvé©M³pD9Ï,
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a6becb9..5c1d5a7 100755
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,9 +1,18 @@
 let
-	everest = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEY+nRHGyId1eYdC0tk4eKDG8UPpWjNekif+XPPHa0XD root@Everest";
-	bootsrtrap = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKloSXSeF4dNXebd93uMuiFuXRHfxo/he4+O9SFTz1s bootstrap key";
+	everest = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7GzKZIK/UAMfRjsaxWWKOBqG7sa1ttJ+Gp0zTQSBXM root@Everest";
+	archie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINuqKOfYb2lyhoQYBQbuIEyMomze872rnpxDnax8BsC5 root@Archie";
+  bootsrtrap = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKloSXSeF4dNXebd93uMuiFuXRHfxo/he4+O9SFTz1s bootstrap key";
 in
 {
 	"ddclient-passwd".publicKeys = [ everest ];
 	"syncthing/key".publicKeys = [ everest ];
 	"syncthing/cert".publicKeys = [ everest ];
+	"Everest/host-key-ed25519".publicKeys = [ everest bootsrtrap ];
+	"Everest/host-key-ed25519-public".publicKeys = [ everest bootsrtrap ];
+	"Everest/host-key-rsa".publicKeys = [ everest bootsrtrap ];
+	"Everest/host-key-rsa-public".publicKeys = [ everest bootsrtrap ];
+	"Archie/host-key-ed25519".publicKeys = [ archie  bootsrtrap ];
+	"Archie/host-key-ed25519-public".publicKeys = [ archie bootsrtrap ];
+	"Archie/host-key-rsa".publicKeys = [ archie bootsrtrap ];
+	"Archie/host-key-rsa-public".publicKeys = [ archie bootsrtrap ];
 }
diff --git a/secrets/syncthing/cert b/secrets/syncthing/cert
old mode 100644
new mode 100755
index 576dd37..9711922
Binary files a/secrets/syncthing/cert and b/secrets/syncthing/cert differ
diff --git a/secrets/syncthing/key b/secrets/syncthing/key
old mode 100644
new mode 100755
index 4ea8d32..e0dd47d
Binary files a/secrets/syncthing/key and b/secrets/syncthing/key differ