diff --git a/hosts/hetzner-arm/secrets.nix b/hosts/hetzner-arm/secrets.nix
index 582e313..bd215a6 100644
--- a/hosts/hetzner-arm/secrets.nix
+++ b/hosts/hetzner-arm/secrets.nix
@@ -15,6 +15,8 @@
     };
 
     requiredVaultPaths = [
+      "private-public-keys/data/ssh/root@hetzner-arm-decrypt"
+
       "api-keys/data/gitlab/gitlab_pages_serve"
     ];
 
@@ -23,6 +25,17 @@
         manual = true;
       };
 
+      # this doesn't need to be a secret and can be generated at install time
+      # but it makes it easier to install.
+      # it's stored in /nix store anyway
+      ssh_host_ed25519_key = {
+        path = "/ssh_host_ed25519_key";
+        permissions = "600";
+        fetchScript = ''
+          simple_get "/private-public-keys/ssh/root@hetzner-arm-decrypt" .private | base64 -d > "$secretFile"
+        '';
+      };
+
       # Used directly by server
       # for fetching gitlab static sites
       gitlab_env = {