diff --git a/common/network/hosts.nix b/common/network/hosts.nix
index a8d80d2..87da16c 100644
--- a/common/network/hosts.nix
+++ b/common/network/hosts.nix
@@ -1,7 +1,21 @@
 { config, lib, ... }:
 
+with builtins;
+
 let
   system = (import ../ssh.nix).system;
+
+  # hostnames that resolve on clearnet for LUKS unlocking
+  unlock-clearnet-hosts = {
+    ponyo = "unlock.ponyo.neet.dev";
+  };
+
+  # hostnames that resolve on tor for LUKS unlocking
+  unlock-onion-hosts = {
+    liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion";
+    router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
+    ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
+  };
 in {
   networking.hosts = {
     # some DNS providers filter local ip results from DNS request
@@ -12,17 +26,29 @@ in {
 
   programs.ssh.knownHosts = {
     liza = {
-      hostNames = [ "liza" "liza.neet.dev" ];
+      hostNames = [ "liza" "mail.neet.dev" ];
       publicKey = system.liza;
     };
+    liza-unlock = {
+      hostNames = [ unlock-onion-hosts.liza ];
+      publicKey = system.liza-unlock;
+    };
     ponyo = {
       hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ];
       publicKey = system.ponyo;
     };
     ponyo-unlock = {
-      hostNames = [ "unlock.ponyo.neet.dev" "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion" ];
+      hostNames = [ unlock-clearnet-hosts.ponyo unlock-onion-hosts.ponyo ];
       publicKey = system.ponyo-unlock;
     };
+    router = {
+      hostNames = [ "router" "192.168.1.228" ];
+      publicKey = system.router;
+    };
+    router-unlock = {
+      hostNames = [ unlock-onion-hosts.router ];
+      publicKey = system.router-unlock;
+    };
     ray = {
       hostNames = [ "ray" "ray.zt.neet.dev" ];
       publicKey = system.ray;
@@ -60,4 +86,15 @@ in {
       publicKey = system.n7;
     };
   };
+
+  # prebuilt cmds for easy ssh LUKS unlock
+  environment.shellAliases =
+    let
+      # TODO: remove when all systems are updated to new enough nixpkgs
+      concatMapAttrs =
+        f: with lib; flip pipe [ (mapAttrs f) attrValues (foldl' mergeAttrs { }) ];
+    in
+      concatMapAttrs (host: addr: {"unlock-over-tor_${host}" = "torsocks ssh root@${addr}";}) unlock-onion-hosts
+        //
+      concatMapAttrs (host: addr: {"unlock_${host}" = "torsocks ssh root@${addr}";}) unlock-clearnet-hosts;
 }
\ No newline at end of file
diff --git a/common/ssh.nix b/common/ssh.nix
index 4504bd1..899c212 100644
--- a/common/ssh.nix
+++ b/common/ssh.nix
@@ -2,15 +2,17 @@ rec {
   users = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO0VFnn3+Mh0nWeN92jov81qNE9fpzTAHYBphNoY7HUx" # reg
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
   ];
   system = {
     liza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDY/pNyWedEfU7Tq9ikGbriRuF1ZWkHhegGS17L0Vcdl";
+    liza-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6eMKW7jBNUKm2r9zEoape4s3KVrmLTLC0nkW9t/8JK";
     ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
     ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
     ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
+    router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
+    router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
     s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
     n1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWlhd1Oid5Xf2zdcBrcdrR0TlhObutwcJ8piobRTpRt";
     n2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7bRiRutnI7Bmyt/I238E3Fp5DqiClIXiVibsccipOr";
@@ -26,6 +28,7 @@ rec {
     liza
     ponyo
     ray
+    router
     s0
     n1
     n2
@@ -41,6 +44,7 @@ rec {
   servers = with system; [
     liza
     ponyo
+    router
     s0
     n1
     n2
diff --git a/machines/liza/configuration.nix b/machines/liza/configuration.nix
index eaca23f..5c5e1ac 100644
--- a/machines/liza/configuration.nix
+++ b/machines/liza/configuration.nix
@@ -5,8 +5,6 @@
     ./hardware-configuration.nix
   ];
 
-  # 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
-
   system.autoUpgrade.enable = true;
 
   networking.hostName = "liza";
diff --git a/machines/router/configuration.nix b/machines/router/configuration.nix
index 5954b80..9252e26 100644
--- a/machines/router/configuration.nix
+++ b/machines/router/configuration.nix
@@ -5,8 +5,6 @@
     ./hardware-configuration.nix
   ];
 
-  # jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion
-
   networking.hostName = "router";
 
   services.zerotierone.enable = true;
diff --git a/machines/storage/s0/configuration.nix b/machines/storage/s0/configuration.nix
index d98896c..249a029 100644
--- a/machines/storage/s0/configuration.nix
+++ b/machines/storage/s0/configuration.nix
@@ -6,8 +6,6 @@
     ./hardware-configuration.nix
   ];
 
-  # nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion
-
   networking.hostName = "s0";
 
   boot.loader.grub.enable = false;