diff --git a/modules/baremetal.nix b/modules/baremetal.nix
index 98557bc3..ccf950b5 100644
--- a/modules/baremetal.nix
+++ b/modules/baremetal.nix
@@ -18,8 +18,7 @@
       initrd.network = {
         enable = true;
         ssh = {
-          # TODO: enable now per machine
-          # enable = true;
+          enable = true;
           authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
           hostKeys = [
             initrdEd2219Key
@@ -58,9 +57,10 @@
       smartd.enable = true;
     };
 
+    # this needs to be unconditional because the keys need to be inplace when activating the feature
     system.activationScripts.generateInitrdOpensshHostKeys = let
       sshKeygen = "${config.programs.ssh.package}/bin/ssh-keygen";
-    in lib.mkIf config.boot.initrd.network.ssh.enable ''
+    in ''
       if [[ ! -e ${initrdEd2219Key} || ! -e ${initrdRsaKey} ]]; then
         echo "Generating initrd OpenSSH hostkeys..."
         mkdir -m700 -p /etc/ssh/initrd/