diff --git a/hosts/skipper/secureboot.nix b/hosts/skipper/secureboot.nix
index 0e06ca5..6f9a169 100644
--- a/hosts/skipper/secureboot.nix
+++ b/hosts/skipper/secureboot.nix
@@ -7,7 +7,7 @@
     loader.systemd-boot.enable = lib.mkForce false;
     lanzaboote = {
       enable = true;
-      pkiBundle = "/etc/secureboot";
+      pkiBundle = "/persist/system/etc/secureboot";
     };
   };
   environment.systemPackages = with pkgs; [
diff --git a/hosts/skipper/services/ssh.nix b/hosts/skipper/services/ssh.nix
index 59ff254..420095f 100644
--- a/hosts/skipper/services/ssh.nix
+++ b/hosts/skipper/services/ssh.nix
@@ -8,11 +8,11 @@ _: {
     };
     hostKeys = [
       {
-        path = "/etc/ssh/keys/ssh_host_ed25519_key";
+        path = "/persist/system/etc/ssh/keys/ssh_host_ed25519_key";
         type = "ed25519";
       }
       {
-        path = "/etc/ssh/keys/ssh_host_rsa_key";
+        path = "/persist/system/etc/ssh/keys/ssh_host_rsa_key";
         type = "rsa";
         bits = "4096";
       }
diff --git a/hosts/skipper/wireguard.nix b/hosts/skipper/wireguard.nix
index 7f5800e..ccb8f58 100644
--- a/hosts/skipper/wireguard.nix
+++ b/hosts/skipper/wireguard.nix
@@ -19,7 +19,7 @@ in
           "fd7c:585c:c4ae::2/64"
         ];
         listenPort = 51822;
-        privateKeyFile = "/etc/wireguard/private.key";
+        privateKeyFile = "/persist/system/etc/wireguard/private.key";
         generatePrivateKeyFile = true;
         peers = [
           wireguard_server