diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix
index d5aadcb71..b05b46f90 100644
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@@ -394,19 +394,39 @@ in
     { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
   ];
 
-  networking.firewall.allowedTCPPorts = [
-    111 2049 4000 4001 4002 # NFS
-    3483 9000 9090 # Slimserver
-    51413 # Transmission
-    8448 # Matrix federation
-    20 21 # FTP
-  ];
-  networking.firewall.allowedTCPPortRanges = [
-    { from = 64000; to = 65535; } # FTP
-  ];
-  networking.firewall.allowedUDPPorts = [
-    111 2049 4000 4001 4002 # NFS
-    3483 # Slimserver
-    51413 # Transmission
-  ];
+  networking = {
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "192.168.20.1/24" ];
+        privateKeyFile = "/mnt/secrets/wireguard/wg0.privatekey";
+        listenPort = 51820;
+        allowedIPsAsRoutes = false;
+        peers = [
+          {
+            allowedIPs = [ "0.0.0.0/0" ];
+            publicKey = "b/SXiqo+GPdNOc54lyEVeUBc6B5AbVMKh+g5EZPGzlE=";
+          }
+        ];
+      };
+    };
+
+    firewall.allowedTCPPorts = [
+      111 2049 4000 4001 4002 # NFS
+      3483 9000 9090 # Slimserver
+      51413 # Transmission
+      8448 # Matrix federation
+      20 21 # FTP
+    ];
+
+    firewall.allowedTCPPortRanges = [
+      { from = 64000; to = 65535; } # FTP
+    ];
+
+    firewall.allowedUDPPorts = [
+      111 2049 4000 4001 4002 # NFS
+      3483 # Slimserver
+      51413 # Transmission
+      51820 # Wireguard
+    ];
+  };
 }