diff --git a/ansible/extras.yml b/ansible/extras.yml
index 3c790be81..251c40165 100644
--- a/ansible/extras.yml
+++ b/ansible/extras.yml
@@ -71,16 +71,6 @@
       ansible.builtin.fail:
         msg: Reboot handler for stackhpc.linux.vgpu role fired unexpectedly. This was supposed to be unreachable.
 
-- name: Persist hostkeys across rebuilds
-  # Must be after filesystems.yml (for storage)
-  # and before portal.yml (where OOD login node hostkeys are scanned)
-  hosts: persist_hostkeys:!builder
-  become: true
-  gather_facts: false
-  tasks:
-    - ansible.builtin.import_role:
-        name: persist_hostkeys
-
 - name: Install k9s
   become: true
   hosts: k9s
diff --git a/ansible/iam.yml b/ansible/iam.yml
index d570a7a27..675141883 100644
--- a/ansible/iam.yml
+++ b/ansible/iam.yml
@@ -13,6 +13,18 @@
         tasks_from: addhost.yml
       when: groups['freeipa_server'] | length > 0
 
+- name: Persist hostkeys across rebuilds
+  # Must be:
+  # - after filesystems.yml (for storage)
+  # - before ipa (re)enrolment, which updates IPA record to match actual hostkey
+  # - before portal.yml (where OOD login node hostkeys are scanned)
+  hosts: persist_hostkeys:!builder
+  become: true
+  gather_facts: false
+  tasks:
+    - ansible.builtin.import_role:
+        name: persist_hostkeys
+
 - hosts: freeipa_client
   tags:
     - freeipa
diff --git a/ansible/roles/freeipa/README.md b/ansible/roles/freeipa/README.md
index 4bcf2f6de..6b92f7aa2 100644
--- a/ansible/roles/freeipa/README.md
+++ b/ansible/roles/freeipa/README.md
@@ -33,6 +33,9 @@ Support FreeIPA in the appliance. In production use it is expected the FreeIPA s
   - This is implemented when using the site OpenTofu; on the control node `appliances_state_dir` defaults to `/var/lib/state` which is mounted from a volume.
   - Nodes are not re-enroled by a [Slurm-driven reimage](../../collections/ansible_collections/stackhpc/slurm_openstack_tools/roles/rebuild/README.md) (as that does not run this role).
   - If both a backed-up keytab and `freeipa_host_password` exist, the former is used.
+  - When re-enroling, the host record in FreeIPA host record is updated with the
+    current hostkey. The `persist_hostkeys` role may be used if rebuilds/reimages
+    should not change keys.
 
 ### Role Variables for Clients