diff --git a/rootfs/overlay/etc/ssh/ssh_known_hosts b/rootfs/overlay/etc/ssh/ssh_known_hosts
new file mode 100644
index 0000000..e69de29
diff --git a/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.service b/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.service
new file mode 100644
index 0000000..12f9771
--- /dev/null
+++ b/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Fetch SSH known host keys
+Wants=network-online.target
+After=network-online.target
+After=time-sync.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/fetch-ssh-knownhosts.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.timer b/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.timer
new file mode 100644
index 0000000..c98a30e
--- /dev/null
+++ b/rootfs/overlay/usr/lib/systemd/system/fetch-ssh-knownhosts.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Update SSH known hosts daily
+
+[Timer]
+OnCalendar=daily
+AccuracySec=1h
+RandomizedDelaySec=6000
+
+[Install]
+WantedBy=timers.target
diff --git a/rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh b/rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh
new file mode 100755
index 0000000..15d711e
--- /dev/null
+++ b/rootfs/overlay/usr/libexec/fetch-ssh-knownhosts.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+: "${KNOWN_HOSTS_URL=https://files.pyrocufflink.blue/ssh_known_hosts}"
+
+curl -fsSL -o /run/ssh_known_hosts "${KNOWN_HOSTS_URL}" || exit $?
+if ! mountpoint -q /etc/ssh/ssh_known_hosts; then
+    mount -o bind /run/ssh_known_hosts /etc/ssh/ssh_known_hosts
+fi