diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index dcbabb9..2998167 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -214,7 +214,7 @@
                 PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
                 AllowedIPs = map (net.cidr.make 128) clientCfg.addresses;
               }
-              // optionalAttrs clientCfg.keepalive {
+              // optionalAttrs clientCfg.client.keepalive {
                 PersistentKeepalive = 25;
               };
           })
diff --git a/nix/apps/default.nix b/nix/apps/default.nix
index 1834ffb..700fdbc 100644
--- a/nix/apps/default.nix
+++ b/nix/apps/default.nix
@@ -13,7 +13,6 @@
   apps = [
     ./draw-graph.nix
     ./format-secrets.nix
-    ./generate-initrd-keys.nix
     ./generate-wireguard-keys.nix
     ./show-wireguard-qr.nix
   ];
diff --git a/nix/apps/generate-initrd-keys.nix b/nix/apps/generate-initrd-keys.nix
deleted file mode 100644
index 009df80..0000000
--- a/nix/apps/generate-initrd-keys.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{
-  self,
-  pkgs,
-  ...
-}: let
-  inherit
-    (pkgs.lib)
-    escapeShellArg
-    concatStringsSep
-    mapAttrsToList
-    ;
-  mapAttrsToLines = f: attrs: concatStringsSep "\n" (mapAttrsToList f attrs);
-  generateHostKey = node: ''
-    if [[ ! -f ${escapeShellArg node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then
-      echo TODOOOOO
-      exit 1
-      ssh-keygen -t ed25519 -N "" -f /tmp/1
-      TODO
-    fi
-  '';
-in
-  pkgs.writeShellScript "generate-initrd-keys" ''
-    set -euo pipefail
-    ${mapAttrsToLines generateHostKey self.nodes}
-  ''
diff --git a/nix/apps/generate-wireguard-keys.nix b/nix/apps/generate-wireguard-keys.nix
index f231764..becc747 100644
--- a/nix/apps/generate-wireguard-keys.nix
+++ b/nix/apps/generate-wireguard-keys.nix
@@ -49,6 +49,8 @@
         echo "$privkey" | ${pkgs.wireguard-tools}/bin/wg pubkey > ${pubkeyFile}
         ${pkgs.rage}/bin/rage -e ${rageEncryptArgs} <<< "$privkey" > ${privkeyFile} \
           || { echo "[1;31merror:[m Failed to encrypt wireguard private key for peer ${peerName} on network ${wgName}!" >&2; exit 1; }
+      else
+        echo "[90mSkipping existing "${keyBasename}".{age,pub}[m"
       fi
     '';
 
@@ -65,6 +67,8 @@
         psk=$(${pkgs.wireguard-tools}/bin/wg genpsk)
         ${pkgs.rage}/bin/rage -e ${rageEncryptArgs} <<< "$psk" > ${pskFile} \
           || { echo "[1;31merror:[m Failed to encrypt wireguard psk for peers ${peer1} and ${peer2} on network ${wgName}!" >&2; exit 1; }
+      else
+        echo "[90mSkipping existing "${pskFile}"[m"
       fi
     '';