diff --git a/hosts/modules/wg-home.nix b/hosts/modules/wg-home.nix
index d451333a..ff47f5e0 100644
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@@ -1,14 +1,12 @@
 { config, lib, pkgs, ... }:
 
 let
-  inherit (builtins) filter map;
-  inherit (lib) concatMap mapAttrsToList mkIf mkMerge mkOption optionalAttrs types;
   cfg = config.sane.services.wg-home;
   server-cfg = config.sane.hosts.by-name."servo".wg-home;
   mkPeer = { ips, pubkey, endpoint }: {
     publicKey = pubkey;
-    allowedIPs = map (k: "${k}/32") ips;
-  } // (optionalAttrs (endpoint != null) {
+    allowedIPs = builtins.map (k: "${k}/32") ips;
+  } // (lib.optionalAttrs (endpoint != null) {
     inherit endpoint;
     # send keepalives every 25 seconds to keep NAT routes live.
     # only need to do this from client -> server though, i think.
@@ -17,18 +15,18 @@ let
     dynamicEndpointRefreshSeconds = 600;
   });
   # make separate peers to route each given host
-  mkClientPeers = hosts: map (p: mkPeer {
+  mkClientPeers = hosts: builtins.map (p: mkPeer {
     inherit (p) pubkey endpoint;
     ips = [ p.ip ];
   }) hosts;
   # make a single peer which routes all the given hosts
   mkServerPeer = hosts: mkPeer {
     inherit (server-cfg) pubkey endpoint;
-    ips = map (h: h.ip) hosts;
+    ips = builtins.map (h: h.ip) hosts;
   };
 in
 {
-  options = {
+  options = with lib; {
     sane.services.wg-home.enable = mkOption {
       type = types.bool;
       default = false;
@@ -51,7 +49,7 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
     # generate a (deterministic) wireguard private key
     sane.derived-secrets."/run/wg-home.priv" = {
       len = 32;
@@ -84,8 +82,8 @@ in
 
       peers =
         let
-          all-peers = mapAttrsToList (_: hostcfg: hostcfg.wg-home) config.sane.hosts.by-name;
-          peer-list = filter (p: p.ip != null && p.ip != cfg.ip && p.pubkey != null) all-peers;
+          all-peers = lib.mapAttrsToList (_: hostcfg: hostcfg.wg-home) config.sane.hosts.by-name;
+          peer-list = builtins.filter (p: p.ip != null && p.ip != cfg.ip && p.pubkey != null) all-peers;
         in
           if cfg.routeThroughServo then
             # if acting as a client, then maintain a single peer -- the server -- which does the actual routing