diff --git a/agenix/hosts/mediaserver/wireguard/config.age b/agenix/hosts/mediaserver/wireguard/config.age
index f6202cb..a03c523 100644
Binary files a/agenix/hosts/mediaserver/wireguard/config.age and b/agenix/hosts/mediaserver/wireguard/config.age differ
diff --git a/secret/hosts/mediaserver.nix b/secret/hosts/mediaserver.nix
new file mode 100644
index 0000000..97a4f00
Binary files /dev/null and b/secret/hosts/mediaserver.nix differ
diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix
index df37116..6585971 100644
--- a/system/hosts/mediaserver.nix
+++ b/system/hosts/mediaserver.nix
@@ -1,6 +1,7 @@
 args@{ pkgs, config, lib, ... }:
 
 let
+  secret = import ../../secret/hosts/mediaserver.nix;
   ssh-keys = import ../shared/ssh-keys.nix;
 in
 {
@@ -19,7 +20,7 @@ in
     ../nixos/tailscale.nix
 
     ../nixos/mediaserver-setup.nix
-    ../nixos/wireguard-netns.nix
+    (import ../nixos/wireguard-netns.nix (args // { inherit secret; }))
     ../nixos/prowlarr.nix
     ../nixos/sabnzbd.nix
     ../nixos/sonarr.nix
diff --git a/system/nixos/wireguard-netns.nix b/system/nixos/wireguard-netns.nix
index 5b897ef..911f0ae 100644
--- a/system/nixos/wireguard-netns.nix
+++ b/system/nixos/wireguard-netns.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, config, secret, ... }:
 
 {
   environment.systemPackages = with pkgs; [ ldns tcpdump wireguard-tools ];
@@ -6,7 +6,7 @@
   environment.etc."netns/wg/resolv.conf" = {
     mode = "0644";
     text = ''
-      nameserver 10.64.0.1
+      nameserver ${secret.wireguard.dns}
     '';
   };
 
@@ -61,8 +61,8 @@
         ${iproute}/bin/ip link add wg0 type wireguard
         ${wireguard-tools}/bin/wg setconf wg0 ${config.age.secrets.wireguard-config.path}
         ${iproute}/bin/ip link set wg0 netns wg
-        ${iproute}/bin/ip -n wg address add 10.66.10.158/32 dev wg0
-        ${iproute}/bin/ip -n wg -6 address add fc00:bbbb:bbbb:bb01::3:a9d/128 dev wg0
+        ${iproute}/bin/ip -n wg address add ${secret.wireguard.ipv4} dev wg0
+        ${iproute}/bin/ip -n wg -6 address add ${secret.wireguard.ipv6} dev wg0
         ${iproute}/bin/ip -n wg link set wg0 up
         ${iproute}/bin/ip -n wg route add default dev wg0
         ${iproute}/bin/ip -n wg -6 route add default dev wg0