diff --git a/Justfile b/Justfile
index c09286f..fea5551 100755
--- a/Justfile
+++ b/Justfile
@@ -25,8 +25,12 @@ _device recipe dir +moreargs="":
 _render_templates:
 	#!/usr/bin/env bash
 	set -ex
-	source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
-	nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
+	if ! ip route get 0.0.0.1; then
+		echo No route to WAN. Skipping template rendering...
+	else
+		source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
+		nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
+	fi
 
 _rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates
 	#!/usr/bin/env bash
@@ -245,14 +249,26 @@ run-with-channels +cmds:
 # Switch between yubikeys which have a copy of the same key
 switch-yubikey:
 	#!/usr/bin/env bash
-	# See https://github.com/drduh/YubiKey-Guide/issues/19
+	#
+	# Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
+	#
+	# Connect the new device and then run this script to make it known to gnupg.
+	#
 	set -xe
 	KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
-	gpg --delete-secret-and-public-keys $KEY_ID
-	# TODO: fix this as it still blocks on the gpg prompt
-	gpg2 --edit-card <<-EOF
-	fetch
-	quit
-	EOF
+
+	# export pubkey and ownertrust
+	gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
+	gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust
+
+	# delete the key
+	gpg --yes --delete-secret-and-public-keys "${KEY_ID}"
+
+	# import pubkey and ownertrust back and cleanup
+	gpg2 --import "${KEY_ID}".pubkey
+	gpg2 --import-ownertrust < "${KEY_ID}".ownertrust
+	rm "${KEY_ID}".{pubkey,ownertrust}
+
+	# refresh the gpg agent
 	gpg-connect-agent "scd serialno" "learn --force" /bye
 	gpg --card-status