diff --git a/hosts/web-2/clerie.nix b/hosts/web-2/clerie.nix
index 896f905..b608032 100644
--- a/hosts/web-2/clerie.nix
+++ b/hosts/web-2/clerie.nix
@@ -18,6 +18,9 @@
         rev = "d3f220899ecb98e87026ee0a7600bb8898ae3c42";
         sha256 = "sha256-3o2/+m5OGSfc5RTrS4/j/aVibDasQISL7vY+J3yxbB8=";
       };
+      locations."= /ssh/known_hosts" = {
+        alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix);
+      };
       locations."~ ^/.well-known/openpgpkey/hu/[a-z0-9]+/?$" = {
         extraConfig = ''
           default_type application/octet-stream;
diff --git a/lib/ssh-known-hosts.nix b/lib/ssh-known-hosts.nix
new file mode 100644
index 0000000..20c6676
--- /dev/null
+++ b/lib/ssh-known-hosts.nix
@@ -0,0 +1,13 @@
+let
+  stripR = str: if (builtins.substring ((builtins.stringLength str) - 1) (builtins.stringLength str) str) == "\n" then stripR (builtins.substring 0 ((builtins.stringLength str) - 1) str) else str;
+  hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../hosts));
+  sshkeyList = map (hostname: {
+    name = hostname;
+    sshPubkey = stripR (builtins.readFile (../hosts + "/${hostname}/ssh.pub"));
+  }) hostsWithSshPubkey;
+  knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: ''
+    ${name} ${sshPubkey}
+    ${name}.net.clerie.de ${sshPubkey}
+  '') sshkeyList);
+in
+  knownHosts