diff --git a/hosts/modules/hosts.nix b/hosts/modules/hosts.nix
index 2a6b414d..ce3918d6 100644
--- a/hosts/modules/hosts.nix
+++ b/hosts/modules/hosts.nix
@@ -27,6 +27,13 @@ let
           e.g. "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=".
         '';
       };
+      wg-home.ip = mkOption {
+        type = types.nullOr types.str;
+        description = ''
+          IP address to use on the wg-home VPN.
+          e.g. "10.0.10.5";
+        '';
+      };
       lan-ip = mkOption {
         type = types.str;
         description = ''
@@ -61,6 +68,7 @@ in
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
       wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
+      wg-home.ip = "10.0.10.20";
       lan-ip = "192.168.0.20";
     };
 
@@ -74,6 +82,7 @@ in
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
       wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";
+      wg-home.ip = "10.0.10.5";
       lan-ip = "192.168.0.5";
     };
   };
diff --git a/hosts/modules/wg-home.nix b/hosts/modules/wg-home.nix
index 88dfe2fc..ccb59d6c 100644
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@@ -1,8 +1,10 @@
 { config, lib, pkgs, ... }:
 
 let
+  inherit (builtins) mapAttrsToList;
   inherit (lib) mkIf mkMerge mkOption optionalAttrs types;
   cfg = config.sane.services.wg-home;
+  server-cfg = config.sane.hosts.by-name."servo".wg-home;
 in
 {
   options = {
@@ -48,7 +50,7 @@ in
         peers = [
           {
             # server pubkey
-            publicKey = config.sane.hosts.by-name."servo".wg-home.pubkey;
+            publicKey = server-cfg.pubkey;
 
             # accept traffic from any IP addr on the other side of the tunnel
             # allowedIPs = [ "0.0.0.0/0" ];
@@ -68,30 +70,14 @@ in
         ips = [
           "10.0.10.5/24"
         ];
-        peers = [
-          {
-            # lappy
-            publicKey = config.sane.hosts.by-name."lappy".wg-home.pubkey;
-            allowedIPs = [ "10.0.10.20/32" ];
-            # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
-            # allowedIPs = [ "0.0.0.0/0" ];
-          }
-          # {
-          #   # lappy
-          #   publicKey = "TODO";
-          #   allowedIPs = [ "10.0.10.20/32" ];
-          # }
-          # {
-          #   # desko
-          #   publicKey = "TODO";
-          #   allowedIPs = [ "10.0.10.22/32" ];
-          # }
-          # {
-          #   # moby
-          #   publicKey = "TODO";
-          #   allowedIPs = [ "10.0.10.48/32" ];
-          # }
-        ];
+        peers = mapAttrsToList
+          (name: hostcfg:
+            lib.mkIf (hostcfg.wg-home.ip or server-cfg.ip != server-cfg.ip) {
+              publicKey = hostcfg.wg-home.pubkey;
+              allowedIPs = [ "${hostcfg.wg-home.ip}/32" ];
+            }
+          )
+          config.sane.hosts.by-name;
       };
     }
   ]);