diff --git a/hosts/lilith-lab/default.nix b/hosts/lilith-lab/default.nix
index 79ac991..c445397 100644
--- a/hosts/lilith-lab/default.nix
+++ b/hosts/lilith-lab/default.nix
@@ -11,6 +11,10 @@ in
     arr.enable = true;
     jellyfin.enable = true;
     home-assistant.enable = true;
+    wireguard-bridge = {
+      enable = true;
+      ip = "10.0.1.1/32";
+    };
   };
 
   hardware.nvidia = {
diff --git a/hosts/lilith-lab/secrets/default.yaml b/hosts/lilith-lab/secrets/default.yaml
index 1a60aec..565b562 100644
--- a/hosts/lilith-lab/secrets/default.yaml
+++ b/hosts/lilith-lab/secrets/default.yaml
@@ -7,6 +7,10 @@ user:
 syncthing:
     cert.pem: ENC[AES256_GCM,data:IolcFf/jq3I6P2t/NdvW/vxKJlqzdtijFREYxXKn+Or0H1CSPTlu2VgGbvRNYt8m5TB0psPbjYHgPsteTaedW52rPqJ/ap8SRx2oo7mCmPhG88zdvsuv4QOPuTGM5Qtp1SOrOd313QE2U6SvqZNrdbaNLtCajX6qGoh0V552MTrMJvT0RtN/LKWWCL4SJxTg+9fF3rmmC4pNYNRoDAXSKWvJ7idKSzmL6F95MDyG4LGBZLcA43u/JORsNq/OdGOy2Bh7MFL+dqZTarj3jz/Reqmz72E9b8n7d8DcO5sP4niEmYtWYz/VVZZW0xuCqIrBs10VNLgBmoqwQNeBr9FqqhJ5P7G9IRN/paIV7mR3h4c/YNhd1qF4r9JHNU9+3pM9sbKZQfDzs95uOxFl1JdjImI1NMpsfoZRroL6oD9aCE50FxTgWLJh397wqcU91QuL5DkCAEvQ1nbYQ++jVlJKjVzU8pdpeF/QqLGxVJEquQPR9HBeH4H3fSRPwXXPM2JrlB1afnDs8ReZbEMIpLKp3X+FAS0RdB437N0p17Sels60k6F6MygyIxhX15IOPn1UPqqhIidk89OQtRmNaEGhsnKW/qHOKD1bFE23SAovOTXWRP+IvzuntM3HtKKqPbCslp21eKrnzNL2b7+ex7LFl59Qe5zW0ZUGOvOrSPm/MhRs+QW56LK0wKZzqwLT6Gw9mxLbwyogq+1HjLHXbHLnBY7K8MDeG4DhtSkitl6XBjnjnzWk1zR+XFm1xy97hbci+F/eQU6e1UVN1jXTplgsKapj19riIFSdsTzlj8L4+osvaptGKGMwbtnGUvY2OZlWCMQJAkU791D1pYI4UVPjFQWp3SLt74fS/OP5DfIArvy0Di8bpM1nH8mxPqsWnikW0xKGfrXAWZIeJGhVGKjBBP3AR0OJO5CoXKjIOJTxXAf45Z+CEN1cNp9j77C95+/ipECZUTswPEiFq40xs9ZX/mYMGBMz9h2U8p0qS048BSS4A/Q1bfGOToP/GX3wXDNoFhuu7z9hhS4YV9vOnSpVGedls2VsPQ==,iv:p1XFi45xRDqQCBl5MEXVKyzpFbBfu3EDavgMtnh50qY=,tag:fY67X6MytyFJYDlAVYaQYg==,type:str]
     key.pem: ENC[AES256_GCM,data:W0wf7O+U+Hhci/EVkgA31CpeqkBZ39+gsu+pd5H/lZz0L3ap73/BhE5D/NMbhRDFIALTphN/lP99GuZi+1T9ug2xcKG/VSRR1YSE/6Z/3z1mXAIWPigvJ5ZcVjmTqFc0i/TLN7yrpKnZmabcE26ELbYiCupsJHguwDqv96jUdqwluoeZbIueAN8GfBxGSTNPa9YlXoV6vbR5QmByF4t5yKlFMc5ESueCZKc+i0MFCMTlDTQKW9GKfa+r/HCxKzhSPjey7cxvla7R4ShYg3DpwMsIEwc/VEJ2ifco6VHyGf526ccvUT57VtBNXPWs3NKYC5LV+pxrS7wy7APdld6J1OMcCyMuraLM+rQBMx09JYCy8GikNXw78SpP7mNrMdZ/,iv:OpT3xlvSgLl3h9D5cRMm6B8n0RRTPcu5TrsRKAuhHck=,tag:jsNZUtIiNAkEc76/qGEKAQ==,type:str]
+wireguard:
+    bridge:
+        private: ENC[AES256_GCM,data:/Emba1VUA9gQR26h3aZM5Js9rmF49IZAX60IzNy2MJYcrpDOdP8XbPrnkTc=,iv:/BdE057mYfHT4vZ55690Xd2bjVWIEy7QS3Y8TjKJFU4=,tag:df1P9NkcEfKBDjh9yNtr3Q==,type:str]
+        public: ENC[AES256_GCM,data:+KcdWvXUnzMX7hDwMXYNmivXkHUuTVmGw1WdDOL3qpp284/4o8ZO9AaCrl0=,iv:KbNEXdSOjzRDDM5mftZ3xvU1c655j/6PMaTE5SFuTro=,tag:zZ0wnzM+kK5KIX7VU8aW1Q==,type:str]
 home-assistant:
     mosquitto:
         hass: ENC[AES256_GCM,data:X6Lv5faZ6PlFy8OHH1I94MhkRrW7uTFDYChEILxm6ruyTXKY9r5KieFcvSyeJTU99yHZ77zmnUZJ1akFwRwKziSQiBNM5eBthNjX5lRmQcbKx5kDQSPauvWp6MfF69S38j6SBdCE5VjyIh8cglD7+Q==,iv:eEoCYDW3MGl8WGaVNQczvaTi+Eg40l/lUQfm2fQO8HE=,tag:2CjNPDbmlE/D1lHfh0AHFQ==,type:str]
@@ -21,8 +25,8 @@ sops:
             Q0lSZ2J3cHM1Zjc3TXMwWDlnaHdWazAKo64uQ1arscAhF4gbq3ly8mCNPzSDPWql
             F+75SNZB24Vet5HNf0lsjZw6Iz5xiF43w05/yrSKg49cqAuij+PiCw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-14T00:52:52Z"
-    mac: ENC[AES256_GCM,data:Ikx/wjfyZQ+fopySJ87iXtGX+BdPo/QleLGe4WTb3q4hjjOfYbmp4tVJQWAKomwISEDoZwcrF5PghgooBg4pqfNsOJ02xUMRtKo0S9VnEnaIyU6lndX4AJ99s9tr5ilLWMDKS9EHEIkHT50tVjuJ+ikoKaTie1RAOx5Z0Gc/fYI=,iv:ivba645e2E/OxbGwGW5RR/Q++PO9zEMWMrQK3TvJwco=,tag:P8KeW8rsTHRMgWWIQ89aFw==,type:str]
+    lastmodified: "2026-01-15T11:55:21Z"
+    mac: ENC[AES256_GCM,data:GRNJRBFcgcamJ8IMWpQh8jEEB/N+aVmpLg9bLsTQqWpL+0IyR+5Ew0s58S/S6mrrZUyMMmsnbFD2ou2SaCQbDhWTp3Vp02IgrvEw8BJSHH2n/0ZdxQ2itnjzlfjsPKEudJOvE/GlYSWknz8uI7I8DNjMTdJZVXHwfbAVo0FnD9Y=,iv:HkqiBmDkfehYwnyJtf5k5XPesUD+MBjKVG6BS/m+760=,tag:koFBtoMsUsD995Wl4eisTA==,type:str]
     pgp:
         - created_at: "2025-08-21T19:07:51Z"
           enc: |-
diff --git a/server/wireguard.nix b/server/wireguard.nix
index d3595dd..6577076 100644
--- a/server/wireguard.nix
+++ b/server/wireguard.nix
@@ -1,17 +1,19 @@
 { config, lib, ... }:
 {
   options.server.wireguard-bridge.enable = lib.mkEnableOption "Enables Wireguard host functionality";
-  options.server.wireguard-bridge.ip = lib.mkOption;
+  options.server.wireguard-bridge.ip = lib.mkOption { };
 
-  config = lib.mkIf config.server.wireguard-bridge {
-    sops.secrets."wireguard/bridge/private" = { };
+  config = lib.mkIf config.server.wireguard-bridge.enable {
+    sops.secrets."wireguard/bridge/private" = {
+      sopsFile = ../hosts/${config.networking.hostName}/secrets/default.yaml;
+    };
     networking.firewall.allowedUDPPorts = [ 51821 ];
 
     networking.wireguard.interfaces = {
       bridge = {
         ips = [ config.server.wireguard-bridge.ip ];
         listenPort = 51821;
-        privateKeyFile = config.sops.secrets."wireguard-bridge/private".path;
+        privateKeyFile = config.sops.secrets."wireguard/bridge/private".path;
 
         peers = [
           {