diff --git a/.sops.yaml b/.sops.yaml
index 8e3fdbd..2a90c25 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -9,9 +9,14 @@ creation_rules:
           - *stefan_ellmauthaler
           - *stel-xps
           - *nucturne
-  - path_regec: secrets/server\.yaml
+  - path_regex: secrets/server\.yaml
     key_groups:
       - pgp:
           - *stefan_ellmauthaler
           - *nucturne
-          
+
+  - path_regex: machines/metis/secrets/wireguard\.yaml
+    key_groups:
+      - pgp:
+        - *stefan_ellmauthaler
+        
diff --git a/machines/metis/secrets/wireguard.yaml b/machines/metis/secrets/wireguard.yaml
new file mode 100644
index 0000000..3a74850
--- /dev/null
+++ b/machines/metis/secrets/wireguard.yaml
@@ -0,0 +1,34 @@
+hello: ENC[AES256_GCM,data:OsOP3MUWDf2FEaxawBhpd+13odtBrC03T/comY1khIIALY/Gj6LKZhHc4Rfh1w==,iv:Be19e9br4FL/bH+VXXSfAaXtizlUvgfMgDOo/3nTyNk=,tag:yxCTKVlrov3Ux3yL5GaexA==,type:str]
+example_key: ENC[AES256_GCM,data:9BgGw1DG07+cBhudOQ==,iv:M+V1u09vKQ1ctttKAbm9bZ20Qk2C5iXitaH6R/QBY3s=,tag:Y80jf5b7kHhFLGuEsmRa4w==,type:str]
+#ENC[AES256_GCM,data:iH2jIhQ3m3iA8EPkXPs7ZA==,iv:hX+h5FQXl6NcMRSRLjXnsJ1Ae8KsxcCXXBzrLKyvbRw=,tag:byA5M05UpelGwspG2W1SYw==,type:comment]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-07-18T15:28:42Z"
+    mac: ENC[AES256_GCM,data:D6tGaxvYb8+t9FOrogb61rV+UPp0TpnoA8CiZXSgIaOqkI3sldVoFm0eKFvCKki2NfWam02nSSiRWyqvo8r6g2CVu9FH5k28d5Ns/s7RlwtoBgdiEVuWcPNgkw91hPRV4I1KjGKg3UdbFDw+jLKEowrttA3ew6PwpssJSuB7JbE=,iv:DZ2Ych5yhkwmPTIk/VNxTSxKSXEJ6vTF+b4HuaXvLqI=,tag:L4hH1S4rFZ3zPKk+oZhNuQ==,type:str]
+    pgp:
+        - created_at: "2022-07-18T15:28:19Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzhsLR+kpSPjARAAml7MzW3gOE8x7ZS84xKEzmyuD5qjNLT8UTEjv1esGmh9
+            nJS7fDSlxsLK24Bk8xaUDKaYOTsG2fraZ/xNf8zsavKxLqQQC+lhrIRbEFB1fXzn
+            xy/nWIEm4WMHQmf/4G1ygUhvzykJIRaPnVa0ClkKZKZWGwuPReLQkzGOr4WKmRBb
+            /W2HcoZyiIPK0B8Qcp7B7X9mrrcVTnYKy037gcztPX6HZMP6WF/77ulM4rh5sV+x
+            Bs/s5N92CiviBH78fW8Al7FzrFYf3zIWNpYgPo8Zg5XTppV+QzRhmVlB6rsD2SQC
+            MilxSkdM+7pvQPkDV52K9ECA5F+E54u7QjjSaTD2WNoy1EBZjYAxG73TvY7OViFi
+            +zM9r5cFGRnO6z8dWO0F6nl6Fa4zJYEH26T6z4nI4k0SX8NXQkiIZ8wJAV0iqwFJ
+            tePQlhvgjAwt1R3LK9E2/JWXp7x/TLJXQ+dX08ZxKKQ6HkvQiwpI2glOh7wnh8sD
+            e3gjF0zJ1eKmsoM7rIQH8JoofHZBmwThp1+rPxnb/Wd2V4yDk45aaK+3z9UOMiZ6
+            gPywlW8ShDKvAYUBnGw/aZrgPGeZLXr+5pYZKr8WIAR1J3hB1KdWV3UpNEILtoEc
+            hGNHAMFaPM1ufuaSRRAfrBuikm64Q7fK19Yw0HhpfJr14WyoKFD+zP6McO9b0cjS
+            XgH3MrBtVgfCynXGfO5Jc1Cys3qai8pbl7LZr7+syiJPFK13f203iDaPoWZoCHT9
+            WhggNUtGogexZ0r+mlcqCzfGFNB+S7dIbmjgZARTZ/2c3oAF5dOWvIb404f4HSM=
+            =n3Rq
+            -----END PGP MESSAGE-----
+          fp: 3B398B086C410264A14FB353B1E6F03030A4AEAA
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
new file mode 100644
index 0000000..12b62d8
--- /dev/null
+++ b/modules/wireguard.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, lib, ... }:
+with lib; {
+  options.elss.wireguard = {
+    enable = mkEnableOption "Setup wireguard";
+
+  };
+  config =
+    let
+      cfg = config.elss;
+      hostname = cfg.hostName;
+      secrets = ../machines
+                + builtins.toPath "/${hostName}/secrets/wireguard.yaml";
+    in
+    mkIf cfg.wireguard.enable { };
+}