Very explicitly DO NOT let the tinc service auto-generate keys

configuration/lib/tinc-configuration.nix

@@ -23,6 +23,7 @@
 		services.tinc.networks.cryto = {
 			debugLevel = 3;
 			chroot = false;
+			ed25519PrivateKeyFile = "/etc/tinc/cryto/ed25519_key.priv";
 
 			extraConfig = generateConfiguration {
 				AutoConnect = "yes";
@@ -80,4 +81,12 @@
 				options  = [ "NOPASSWD" ];
 			}];
 		}];
+
+		# Override this to get rid of the automatic key generation
+		systemd.services."tinc.cryto".preStart = lib.mkForce ''
+			mkdir -p /etc/tinc/cryto/hosts
+			chown tinc.cryto /etc/tinc/cryto/hosts
+			mkdir -p /etc/tinc/cryto/invitations
+			chown tinc.cryto /etc/tinc/cryto/invitations
+		'';
 	}