diff --git a/hshbase/oneshot/README b/hshbase/oneshot/README
new file mode 100644
index 0000000000000000000000000000000000000000..1d3eb10f543bf20856b9efd78f78af6eeaefc7c2
--- /dev/null
+++ b/hshbase/oneshot/README
@@ -0,0 +1,2 @@
+States in this directory are meant to be fired at a machine once if needed.
+Do NOT put them into your top.sls, or you will suffer.
diff --git a/hshbase/oneshot/after-clone-prep.sls b/hshbase/oneshot/after-clone-prep.sls
new file mode 100644
index 0000000000000000000000000000000000000000..b3c80aec08685702cacda452cc79dc7d986acfe3
--- /dev/null
+++ b/hshbase/oneshot/after-clone-prep.sls
@@ -0,0 +1,4 @@
+include:
+  - .clear-systemd-machine-id
+  - .renew-openssh-keys
+
diff --git a/hshbase/oneshot/clear-systemd-machine-id.sls b/hshbase/oneshot/clear-systemd-machine-id.sls
new file mode 100644
index 0000000000000000000000000000000000000000..5988093066b348f71df98f4a1f84ac8b7f5316f4
--- /dev/null
+++ b/hshbase/oneshot/clear-systemd-machine-id.sls
@@ -0,0 +1,4 @@
+/etc/machine-id:
+  file.managed:
+    - mode: 0444
+    - contents: ''
diff --git a/hshbase/oneshot/renew-openssh-keys.sls b/hshbase/oneshot/renew-openssh-keys.sls
new file mode 100644
index 0000000000000000000000000000000000000000..8299eb12f7eb57fe3f3cb730a5510e4080f85e10
--- /dev/null
+++ b/hshbase/oneshot/renew-openssh-keys.sls
@@ -0,0 +1,18 @@
+hshbase_clear_old_ssh_host_keys:
+  cmd.run:
+    - name: 'bash -c "rm -v /etc/ssh/ssh_host_*key*'
+    - user: root
+
+hshbase_regenerate_ssh_host_keys:
+  cmd.run:
+    - name: 'dpkg-reconfigure openssh-server'
+    - user: root
+    - require:
+      - cmd: hshbase_clear_old_ssh_host_keys
+
+hshbase_restart_sshd:
+  cmd.run:
+    - name: 'systemctl restart ssh'
+    - user: root
+    - require:
+      - cmd: hshbase_regenerate_ssh_host_keys