diff --git a/flake.lock b/flake.lock
index 425570a..3650034 100644
--- a/flake.lock
+++ b/flake.lock
@@ -71,11 +71,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1675265860,
-        "narHash": "sha256-PZNqc4ZnTRT34NsHJYbXn+Yhghh56l8HEXn39SMpGNc=",
+        "lastModified": 1676162277,
+        "narHash": "sha256-GK3cnvKNo1l0skGYXXiLJ/TLqdKyIYXd7jOlo0gN+Qw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a3a1400571e3b9ccc270c2e8d36194cf05aab6ce",
+        "rev": "d863ca850a06d91365c01620dcac342574ecf46f",
         "type": "github"
       },
       "original": {
@@ -87,11 +87,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1675237434,
-        "narHash": "sha256-YoFR0vyEa1HXufLNIFgOGhIFMRnY6aZ0IepZF5cYemo=",
+        "lastModified": 1676375384,
+        "narHash": "sha256-6HI3jZiuJX+KLz05cocYy2mBAWlISEKHU84ftYfxHZ8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "285b3ff0660640575186a4086e1f8dc0df2874b5",
+        "rev": "c43f676c938662072772339be6269226c77b51b8",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1675288837,
-        "narHash": "sha256-76s8TLENa4PzWDeuIpEF78gqeUrXi6rEJJaKEAaJsXw=",
+        "lastModified": 1676171095,
+        "narHash": "sha256-2laeSjBAAJ9e/C3uTIPb287iX8qeVLtWiilw1uxqG+A=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "a81ce6c961480b3b93498507074000c589bd9d60",
+        "rev": "c5dab21d8706afc7ceb05c23d4244dcb48d6aade",
         "type": "github"
       },
       "original": {
diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix
index b8ba887..d2db95f 100644
--- a/hosts/quitte/configuration.nix
+++ b/hosts/quitte/configuration.nix
@@ -4,6 +4,7 @@
   imports =
     [
       ./hardware-configuration.nix
+      ./network.nix
     ];
 
   # Use the systemd-boot EFI boot loader.
@@ -12,20 +13,6 @@
   boot.loader.efi.canTouchEfiVariables = true;
   boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.devNodes = "/dev/";
-  networking.hostId = "a41d87fc";
-
-  networking.interfaces.enp65s0f0np0 = {
-    useDHCP = false;
-    ipv4.addresses = [
-      {
-        address = "141.30.30.169";
-        prefixLength = 25;
-      }
-    ];
-  };
-
-  networking.defaultGateway = "141.30.30.129";
-  networking.nameservers = [ "141.30.1.1" ];
 
   networking.hostName = "quitte"; # Define your hostname.
 
diff --git a/hosts/quitte/network.nix b/hosts/quitte/network.nix
new file mode 100644
index 0000000..d0671ec
--- /dev/null
+++ b/hosts/quitte/network.nix
@@ -0,0 +1,86 @@
+{ pkgs, config, lib, ... }:
+let
+  wireguard_port = 51820;
+in
+{
+  sops.secrets = {
+    "wg-fsr" = {
+      owner = config.users.users.systemd-network.name;
+    };
+  };
+
+  networking = {
+    hostId = "a71c81fc";
+    enableIPv6 = true;
+    useDHCP = true;
+    interfaces.enp65s0f0np0.useDHCP = true;
+    useNetworkd = true;
+
+    firewall.allowedUDPPorts = [ wireguard_port ];
+    wireguard.enable = true;
+  };
+
+  services.resolved = {
+    enable = true;
+    #dnssec = "false";
+    fallbackDns = [ "1.1.1.1" ];
+  };
+
+  # workaround for networkd waiting for shit
+  systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [
+    "" # clear old command
+    "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any"
+  ];
+
+  systemd.network = {
+    enable = true;
+
+    # Interfaces on the machine
+    networks."10-ether-bond" = {
+      matchConfig.Name = "enp65s0f0np0";
+
+      address = [ "141.30.30.169/25" ];
+      routes = [
+        {
+          routeConfig.Gateway = "141.30.30.129";
+        }
+      ];
+      networkConfig = {
+        DNS = "141.30.1.1";
+        #IPv6AcceptRA = true;
+      };
+    };
+
+    # defining network device for wireguard connections
+    netdevs."fsr-wg" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "fsr-wg";
+        Description = "fsr enterprise wireguard";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."wg-fsr".path;
+        ListenPort = wireguard_port;
+      };
+      wireguardPeers = [
+        {
+          # tassilo
+          wireguardPeerConfig = {
+            PublicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y=";
+            AllowedIPs = [ "10.66.66.100/32" ];
+            PersistentKeepalive = 25;
+          };
+        }
+      ];
+    };
+
+    # fsr wireguard server
+    networks."fsr-wg" = {
+      matchConfig.Name = "fsr-wg";
+      networkConfig = {
+        Address = "10.66.66.1/24";
+        IPForward = "ipv4";
+      };
+    };
+  };
+}
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 9a186ee..9bb401d 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -3,6 +3,7 @@ postgres_hedgedoc: ENC[AES256_GCM,data:VCoWXZbNGWfmorTNZRFWkDUp0B5JMmsA+bJFVrURE
 postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR5Uc=,iv:/4hqMV42J37byJgZZGhMqsHNtutikcXhun2uk2HhsHY=,tag:+L4scIHq2nopBlr64KJgjA==,type:str]
 nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str]
 hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
+wg-fsr: ENC[AES256_GCM,data:0WViJp9fNKVxq8LsK5R0Ihn3r+S7CLBk5voKn55dABidlFSLpsA0q+KTxoY=,iv:rc4B8N2otqolSRLfpeRkIn7iNlED7XUjY//OCI2oQ5c=,tag:eWO6LniGnTd8KZ4pSyrR5A==,type:str]
 wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
 portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str]
 portunus_search: ENC[AES256_GCM,data:J1GRvVOCcOcAz4qZypa/XbcMCGQSFS6yyg1eGfNIBA4=,iv:zFf90vpMW3aqpstZVEno5TDCVwV2vi3SyA7BrX2R3/A=,tag:HJauUh36/5qmr8sGmgH1dw==,type:str]
diff --git a/secrets/test.yaml b/secrets/test.yaml
index f1163c6..610fada 100644
--- a/secrets/test.yaml
+++ b/secrets/test.yaml
@@ -1,3 +1,4 @@
+wg-fsr: ENC[AES256_GCM,data:fvbVvT+0,iv:PG18bjnc/plz5gHBc7B1ukyKYx93KVPek0y2pCUnHYQ=,tag:0EkTJukQXI6IPfQRbxQNlA==,type:str]
 postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str]
 postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str]
 postgres_nextcloud: ENC[AES256_GCM,data:ySjpkMh1/6JuU2JwjlJcXh0D,iv:7CWZPjX7NZt4v1V3vbm42Iw7glz5/9F4TK9GUqTNsl8=,tag:701TSuhzyR4AnDHB4bG48Q==,type:str]