diff --git a/nix/hosts/ytnix/.sops.yaml b/nix/hosts/ytnix/.sops.yaml
index 7166ce8..99be1e4 100644
--- a/nix/hosts/ytnix/.sops.yaml
+++ b/nix/hosts/ytnix/.sops.yaml
@@ -1,7 +1,7 @@
 keys:
   - &primary age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
 creation_rules:
-  - path_regex: secrets/secrets.yaml$
+  - path_regex: secrets.yaml$
     key_groups:
     - age:
       - *primary
diff --git a/nix/hosts/ytnix/default.nix b/nix/hosts/ytnix/default.nix
index 13901dc..b81e900 100644
--- a/nix/hosts/ytnix/default.nix
+++ b/nix/hosts/ytnix/default.nix
@@ -18,6 +18,8 @@
     "borg/yt" = {};
     "azure" = {};
     "ntfy" = {};
+    "wireguard/private" = {};
+    "wireguard/psk" = {};
   };
 
   boot = {
@@ -34,7 +36,6 @@
 
   networking = {
     hostName = "ytnix";
-    # nftables.enable = true;
     wireless.iwd = {
       enable = true;
       settings = {
@@ -50,10 +51,11 @@
       dns = "none";
       wifi.backend = "iwd";
     };
-    nameservers = ["127.0.0.1" "::1"];
+    nameservers = ["31.59.129.225" "2a0f:85c1:840:2bfb::1"];
     resolvconf.enable = true;
     firewall = {
-      trustedInterfaces = ["wgnord"];
+      allowedUDPPorts = [ 51820 ]; # for wireguard
+      trustedInterfaces = [ "wg0" ];
     };
   };
   programs.nm-applet.enable = true;
@@ -110,7 +112,6 @@
     dnsutils
     age
     compsize
-    wgnord
     wireguard-tools
     traceroute
     sops
@@ -229,22 +230,6 @@
   };
   programs.virt-manager.enable = true;
 
-  services.dnscrypt-proxy2 = {
-    enable = true;
-    settings = {
-      ipv6_servers = true;
-      require_dnssec = true;
-      sources.public-resolvers = {
-        urls = [
-          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
-          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
-        ];
-        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
-        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
-      };
-    };
-  };
-
   services.usbmuxd.enable = true;
   programs.nix-ld.enable = true;
   programs.evolution.enable = true;
@@ -278,4 +263,19 @@
   };
 
   services.ollama.enable = true;
+
+  # wireguard setup
+  networking.wg-quick.interfaces.wg0 = {
+    address = [ "10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64" ];
+    privateKeyFile = "/run/secrets/wireguard/private";
+    peers = [
+      {
+        publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0=";
+        allowedIPs = [ "0.0.0.0/0" "::/0" ];
+        endpoint = "31.59.129.225:51820";
+        persistentKeepalive = 25;
+        presharedKeyFile = "/run/secrets/wireguard/psk";
+      }
+    ];
+  };
 }
diff --git a/nix/hosts/ytnix/secrets.yaml b/nix/hosts/ytnix/secrets.yaml
index a1cc4b2..4b93538 100644
--- a/nix/hosts/ytnix/secrets.yaml
+++ b/nix/hosts/ytnix/secrets.yaml
@@ -4,6 +4,9 @@ restic:
     azure-yt: ENC[AES256_GCM,data:s8TJ5cNVW2Jr7kyul8mrBGwdLoTlNTb2MfpZgPU=,iv:sC0DbgFbFl6vvLqwOFDwRa3nabrIWxOTuz7GXn17IHk=,tag:2MYprYgNhh1aFlzuyw5eGQ==,type:str]
 azure: ENC[AES256_GCM,data:UdHmasRElCFC66dxnnGTOw6vgOzrOIMiSLsczK0Qew2WBdZUKVnRTfSCxQrB7P8k+j3N2CDt5Y4GXvf9GVFrWCMOInOqYXcyycGXsdli2DbqpXTa3f13ykvc/aoKyw3YuFQdrNci3Kae9PYZ4v5f7fH8n4WgOKuYj3mO9k7WHxM1JBzYRRZP41Jghnb9SqVhl9UXVPI5ONBd6JI/FiezSMZPYC2FxNgQ7zHUQJ7qQ6aJTgRljslJK9I=,iv:bRoYEA1hbEXRG7PoU7Dfba9uRu3cAqfeuvSIfavZZ8M=,tag:cHXUe/njZNoG6EuHYYz0Yg==,type:str]
 ntfy: ENC[AES256_GCM,data:ZfTVhdzA1+L3B+g7tw==,iv:1dXDqYi5/zBQ9iphzjn/GHGDcl90J1NYHvHQpTsVPlg=,tag:RfB1/Zz9ITJQV89cuk9OcQ==,type:str]
+wireguard:
+    private: ENC[AES256_GCM,data:hPfJis6gbPPguuhNBViiZDmeFSaUXsgRrCGrhTFzbySIytVuaieU0BJSJQo=,iv:tYU41JTeB7Y50RQr1b+zGCgB5voZec2Vfmd350J1Tgc=,tag:aFMZoJhMToJDuuV8dc5Acg==,type:str]
+    psk: ENC[AES256_GCM,data:NhQ1lYFpjTpqbkhYyEpEcBTf6vewSeGevUnvCmruoZMSGA2ZWs+le8a0tAA=,iv:aBeVhzUwzBgochk4vtdqnUv61dZ5jELh28amx8XqyFI=,tag:9TvGx+sJaicX52FitOpOdA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -19,8 +22,8 @@ sops:
             a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY
             ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-01T00:51:59Z"
-    mac: ENC[AES256_GCM,data:TYyfVAAxiScRb/KAwqaglr5OjYAfb6uPb3Tdwum1rN09NLzmr8T4W3PramKCgGdTemtjl5YYpBT2lRnKfsNMpzLwg3JHsLV/6JvzCMAHuVPzHHG4SfbAlEz1uLH1/UopxW1w2RAMKK8do9+aXviL/nmXT6gbHgIVCI07U3006Lw=,iv:gyYePlF0MBSU6yhLieV/q8Gw/LbSaZWD7ghAaTLWQmk=,tag:P1L0FaTCmxeFYM6tdzhJBA==,type:str]
+    lastmodified: "2024-12-14T23:07:47Z"
+    mac: ENC[AES256_GCM,data:GQUbR/ApVo6E5jqkGo79GDkRv7nj7Sa16ROCTg0uYO0xDmv9h/bPWBTUOfsU0G/0g3OvohLkBbmYA+hMx24xlLQzQkh8Z3dyAn9CcAJ2j9JLY7qHtSBpvafyPptvKzmPU0mnQpShgqYPCUhF6A2B2YAAvW+TknBih7eiKKeidkc=,iv:XLKIad/LZWuWUrrcXtF0UyNccLhoB0VSWXYCGDq/7Uc=,tag:lNyMV8Ses28gOj+KINem5A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2