diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix
index b8ba887..d2db95f 100644
--- a/hosts/quitte/configuration.nix
+++ b/hosts/quitte/configuration.nix
@@ -4,6 +4,7 @@
   imports =
     [
       ./hardware-configuration.nix
+      ./network.nix
     ];
 
   # Use the systemd-boot EFI boot loader.
@@ -12,20 +13,6 @@
   boot.loader.efi.canTouchEfiVariables = true;
   boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.devNodes = "/dev/";
-  networking.hostId = "a41d87fc";
-
-  networking.interfaces.enp65s0f0np0 = {
-    useDHCP = false;
-    ipv4.addresses = [
-      {
-        address = "141.30.30.169";
-        prefixLength = 25;
-      }
-    ];
-  };
-
-  networking.defaultGateway = "141.30.30.129";
-  networking.nameservers = [ "141.30.1.1" ];
 
   networking.hostName = "quitte"; # Define your hostname.
 
diff --git a/hosts/quitte/network.nix b/hosts/quitte/network.nix
new file mode 100644
index 0000000..3c8f25e
--- /dev/null
+++ b/hosts/quitte/network.nix
@@ -0,0 +1,81 @@
+{ pkgs, config, lib, ... }:
+let
+  wireguard_port = 51820;
+in
+{
+  sops.secrets = {
+    "wg-fsr" = {
+      owner = config.users.users.systemd-network.name;
+    };
+  };
+
+  networking = {
+    hostId = "a71c81fc";
+    enableIPv6 = true;
+    useDHCP = true;
+    interfaces.enp65s0f0np0.useDHCP = true;
+    useNetworkd = true;
+
+    firewall.allowedUDPPorts = [ wireguard_port ];
+    wireguard.enable = true;
+  };
+
+  services.resolved = {
+    enable = true;
+    dnssec = "false";
+    fallbackDns = [ "1.1.1.1" ];
+  };
+
+  # workaround for networkd waiting for shit
+  systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [
+    "" # clear old command
+    "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any"
+  ];
+
+  systemd.network = {
+    enable = true;
+
+    # Interfaces on the machine
+    networks."10-ether-bond" = {
+      matchConfig.Name = "enp65s0f0np0";
+      networkConfig = {
+        Address = "141.30.30.169/25";
+        Gateway = "141.30.30.129";
+        DNS = "141.30.1.1";
+        #IPv6AcceptRA = true;
+      };
+    };
+
+    # defining network device for wireguard connections
+    netdevs."fsr-wg" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "fsr-wg";
+        Description = "fsr enterprise wireguard";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."wg-fsr".path;
+        ListenPort = wireguard_port;
+      };
+      wireguardPeers = [
+        {
+          # tassilo
+          wireguardPeerConfig = {
+            PublicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y=";
+            AllowedIPs = [ "10.66.66.100/32" ];
+            PersistentKeepalive = 25;
+          };
+        }
+      ];
+    };
+
+    # fsr wireguard server
+    networks."fsr-wg" = {
+      matchConfig.Name = "fsr-wg";
+      networkConfig = {
+        Address = "10.66.66.1/24";
+        IPForward = "ipv4";
+      };
+    };
+  };
+}
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 5feab36..99ecdc2 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -3,7 +3,7 @@ postgres_hedgedoc: ENC[AES256_GCM,data:VCoWXZbNGWfmorTNZRFWkDUp0B5JMmsA+bJFVrURE
 postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str]
 nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
 hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
-wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
+wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str]
 mediawiki:
     postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str]
     initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str]
@@ -23,8 +23,8 @@ sops:
             Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
             KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-11-18T15:28:28Z"
-    mac: ENC[AES256_GCM,data:+o08gLLG3tz9uheJOMeKWtdvcRjgdcpOFUjSW3sHdFWC/FM5dcwDgBAtTO3/pPB6+e//SfpZgIWq1EASpgChPmE61K0U1lnYK/5gBY1QMDZ9tLgl8VjQ1ShVSeTL/dLWopBEVeDT0cR8jhJ+MIaVTEzMLK8I2qn/LaZqEktMPSg=,iv:N5TPSuijpULToU4EoZ7P6bL0sMZ1Jfu10Jxmnpzh4Ec=,tag:UIHIM+CMNS70ivKtEzbR3w==,type:str]
+    lastmodified: "2022-12-09T15:15:33Z"
+    mac: ENC[AES256_GCM,data:8G4Kohgr0lF8G135/MNzcSRIrtfX+QRCfMtLRK+fNbc/NHHozlLaI8XDpiURfvgaWR5fVim7DgT5r59aU+G+F8O45C83hJ5LLLmeisWL78Ktm9vOUhWgoClCZ8l/603uPpIG3WlenLF1D5DTO11U60wcGdWv1RMQ9ovxJCXtRfs=,iv:0L4KQR1LYUW52Upv5sZWKquuLNhdaRQ2yoV4y0rs+R0=,tag:uBEfNmk5hmRqSUGhF+V3SQ==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:48Z"
           enc: |