diff --git a/hosts/by-name/servo/secrets.nix b/hosts/by-name/servo/secrets.nix
index a7de5f91..a4dd03c3 100644
--- a/hosts/by-name/servo/secrets.nix
+++ b/hosts/by-name/servo/secrets.nix
@@ -35,6 +35,9 @@
     sopsFile = ../../../secrets/servo.yaml;
   };
 
+  sops.secrets."wg_home_server_privkey" = {
+    sopsFile = ../../../secrets/servo.yaml;
+  };
   sops.secrets."wg_ovpns_privkey" = {
     sopsFile = ../../../secrets/servo.yaml;
   };
diff --git a/hosts/modules/wg-home.nix b/hosts/modules/wg-home.nix
index 3896627e..30b0f1cf 100644
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@@ -1,7 +1,7 @@
 { config, lib, ... }:
 
 let
-  inherit (lib) mkIf mkOption optionalAttrs types;
+  inherit (lib) mkIf mkMerge mkOption optionalAttrs types;
   cfg = config.sane.services.wg-home;
 in
 {
@@ -15,61 +15,72 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
-    # wireguard VPN which allows everything on my domain to speak to each other even when
-    # not behind a shared LAN.
-    # this config defines both the endpoint (server) and client configs
+  config = mkIf cfg.enable (mkMerge [
+    {
+      # wireguard VPN which allows everything on my domain to speak to each other even when
+      # not behind a shared LAN.
+      # this config defines both the endpoint (server) and client configs
 
-    networking.firewall.allowedUDPPorts = [ 51820 ];
-    networking.wireguard.interfaces.wg-home = {
-      privateKeyFile = config.sops.secrets.wg_home_privkey.path;
-      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-    } // (optionalAttrs (cfg.role == "client") {
-      # client IP (TODO: make host-specific)
-      ips = [ "10.0.10.20/32" ];
+      # for convenience, have both the server and client use the same port for their wireguard connections.
+      networking.firewall.allowedUDPPorts = [ 51820 ];
+      networking.wireguard.interfaces.wg-home = {
+        listenPort = 51820;
+      };
+    }
 
-      peers = [
-        {
-          # server pubkey
-          publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+    {
+      networking.wireguard.interfaces.wg-home = lib.mkIf (cfg.role == "client") {
+        privateKeyFile = config.sops.secrets.wg_home_privkey.path;
+        # client IP (TODO: make host-specific)
+        ips = [ "10.0.10.20/32" ];
 
-          # accept traffic from any IP addr on the other side of the tunnel
-          allowedIPs = [ "0.0.0.0/0" ];
+        peers = [
+          {
+            # server pubkey
+            publicKey = "cy9tvnwGMqWhLxRZlvxDtHmknzqmedAaJz+g3Z0ILG0=";
 
-          endpoint = "uninsane.org:51820";
+            # accept traffic from any IP addr on the other side of the tunnel
+            allowedIPs = [ "0.0.0.0/0" ];
 
-          # send keepalives every 25 seconds to keep NAT routes live
-          persistentKeepalive = 25;
-        }
-      ];
-    }) // (optionalAttrs (cfg.role == "server") {
-      ips = [
-        "10.0.10.5/24"
-      ];
-      peers = [
-        {
-          # peers and host all use the same key
-          publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
-          allowedIPs = [ "10.0.10.0/24" ];
-          # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
-          # allowedIPs = [ "0.0.0.0/0" ];
-        }
-        # {
-        #   # lappy
-        #   publicKey = "TODO";
-        #   allowedIPs = [ "10.0.10.20/32" ];
-        # }
-        # {
-        #   # desko
-        #   publicKey = "TODO";
-        #   allowedIPs = [ "10.0.10.22/32" ];
-        # }
-        # {
-        #   # moby
-        #   publicKey = "TODO";
-        #   allowedIPs = [ "10.0.10.48/32" ];
-        # }
-      ];
-    });
-  };
+            endpoint = "uninsane.org:51820";
+
+            # send keepalives every 25 seconds to keep NAT routes live
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    }
+    {
+      networking.wireguard.interfaces.wg-home = lib.mkIf (cfg.role == "server") {
+        privateKeyFile = config.sops.secrets.wg_home_server_privkey.path;
+        ips = [
+          "10.0.10.5/24"
+        ];
+        peers = [
+          {
+            # peers all use the same key
+            publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+            allowedIPs = [ "10.0.10.0/24" ];
+            # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
+            # allowedIPs = [ "0.0.0.0/0" ];
+          }
+          # {
+          #   # lappy
+          #   publicKey = "TODO";
+          #   allowedIPs = [ "10.0.10.20/32" ];
+          # }
+          # {
+          #   # desko
+          #   publicKey = "TODO";
+          #   allowedIPs = [ "10.0.10.22/32" ];
+          # }
+          # {
+          #   # moby
+          #   publicKey = "TODO";
+          #   allowedIPs = [ "10.0.10.48/32" ];
+          # }
+        ];
+      };
+    }
+  ]);
 }
diff --git a/secrets/servo.yaml b/secrets/servo.yaml
index 8c94c264..0fd7852f 100644
--- a/secrets/servo.yaml
+++ b/secrets/servo.yaml
@@ -8,6 +8,7 @@ ddns_afraid: ENC[AES256_GCM,data:fTjwU7DoPDXulmjUNXSe5FVLGv4DvPvIHYCLwagVmKXlWOc
 #ENC[AES256_GCM,data:zhL2iNWZ8xPbBneffWcc93ZCW/SDv5FH,iv:P3a8+oucJRM8o7hnHUxAvefHdZEAbKJKhK2Y1+r75GA=,tag:VFvFucE5c780RmspW7p8Qg==,type:comment]
 #ENC[AES256_GCM,data:N0wn6NUjQKXFbSULhrKzqDc4bHVbM3JLWJwOu5Zoi00gCKSiMA==,iv:9NhoT+OM+bjz4DwRRm2c4rTBZ3Jr6eMOY7F1l4WeE1k=,tag:inkd6kw8HvT5Tz3UAbIklw==,type:comment]
 wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2HjeGdaD7LxPud1VvfM=,iv:Rf647IlLImPu7l2CHqetjs0y6QkWdqXUO70OKfcII00=,tag:ykvKJ9BeTDbQqR7K5S6Rfw==,type:str]
+wg_home_server_privkey: ENC[AES256_GCM,data:epUVE8K2+fboEzPaDiznmI25HXcNluGV0QTGp0dk/dQIQkXmygYT3Bw9/s0=,iv:UJUA7dr98Lajn0gAmRfLdbIgiFjSp2XvZNrSs9pH9dg=,tag:ytgMS+vOcrWIJVX/qjZ2ww==,type:str]
 #ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment]
 #ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment]
 dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str]
@@ -60,8 +61,8 @@ sops:
             cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
             aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-15T09:12:44Z"
-    mac: ENC[AES256_GCM,data:QQiTsQogs6MP9X0lrpf2FeSia6SeQP5/9dtUrWQOd2Vh/s0fBJfIGUdLeLgt5itvaD5QywY6lN9Rsx++BUN0rrwUu/uF42KOMC7wjHdSv07CYuDfvlFZItuIo5eWlfcEq9+p6/VwUXY0TU3M6Ex+mABT5XK67tnLuh/SoHUl+DA=,iv:12sa+wFdO5T7pZrLM3mnEwoJ0WmXZZLKpucEgMYQHMI=,tag:zZEz6+vTma6KDMwXi/fNZA==,type:str]
+    lastmodified: "2023-01-20T05:07:55Z"
+    mac: ENC[AES256_GCM,data:DiSYji+n9XdsUVJZzrXT9RmoQ+WNvkBB9CPxAGbVbFlPgVD4c4FUrGOruCMNK6G4PdLYBz2/YW3zi4fTwFK7VbJqhaaPKH/hLlCBQuXjYUmsfurWloRVUiuusbiA0yA5DYQ5+93mc+jN8xyDn3cOXzdxy/e8/cAH82AS8kKg1aM=,iv:6X+8ae0V/McmdIc0BXSSEO4cNfSQODtYbKaejK4p70k=,tag:ra2M9ARAxZo1a1FnsZVBug==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3