diff --git a/common.nix b/common.nix
deleted file mode 100644
index 798db09..0000000
--- a/common.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-  imports = [
-    ./modules/home-manager.nix
-    ./modules/locale.nix
-    ./modules/shell
-    ./modules/users/may.nix
-    ./modules/ssh.nix
-    ./modules/git.nix
-    ./modules/cli.nix
-  ];
-}
diff --git a/encrypt.sh b/encrypt.sh
new file mode 100755
index 0000000..31a1458
--- /dev/null
+++ b/encrypt.sh
@@ -0,0 +1,2 @@
+sudo cat secrets/wireguard/server_priv | agenix -e secrets/wireguard/server_priv.age
+sudo cat secrets/wireguard/home_psk | agenix -e secrets/wireguard/home_psk.age
diff --git a/hosts/common.nix b/hosts/common.nix
new file mode 100644
index 0000000..36e1593
--- /dev/null
+++ b/hosts/common.nix
@@ -0,0 +1,12 @@
+{
+  imports = [
+    ../modules/agenix.nix
+    ../modules/home-manager.nix
+    ../modules/locale.nix
+    ../modules/shell
+    ../modules/users/may.nix
+    ../modules/ssh.nix
+    ../modules/git.nix
+    ../modules/cli.nix
+  ];
+}
diff --git a/desktop.nix b/hosts/desktop.nix
similarity index 71%
rename from desktop.nix
rename to hosts/desktop.nix
index a2fc7ee..e58342c 100644
--- a/desktop.nix
+++ b/hosts/desktop.nix
@@ -3,21 +3,21 @@
 {
   imports = [
     ./common.nix
-    ./modules/networking.nix
-    ./modules/bluetooth.nix
-    ./modules/amd.nix
-    ./modules/games/steam.nix
-    ./modules/games/minecraft.nix
-    ./modules/fonts.nix
-    ./modules/packages.nix
-    ./modules/wireguard-server.nix
-    ./modules/hyprland
-    ./modules/tex.nix
+    ../modules/networking.nix
+    ../modules/bluetooth.nix
+    ../modules/amd.nix
+    ../modules/games/steam.nix
+    ../modules/games/minecraft.nix
+    ../modules/fonts.nix
+    ../modules/packages.nix
+    ../modules/wireguard-server.nix
+    ../modules/hyprland
+    ../modules/tex.nix
   ];
 
   nixpkgs.config.allowUnfree = true;
 
-  networking.hostName = "nixos-desktop";
+  networking.hostName = "desktop";
   networking.firewall.allowedTCPPorts = [ 51820 25565 42069 8000 8080 ];
 
   home-manager.users.may.wayland.windowManager.hyprland.settings = {
diff --git a/hosts/laptop.nix b/hosts/laptop.nix
new file mode 100644
index 0000000..cdee41c
--- /dev/null
+++ b/hosts/laptop.nix
@@ -0,0 +1,20 @@
+{
+  imports = [
+    ./common.nix
+    ../modules/networking.nix
+    ../modules/bluetooth.nix
+    ../modules/games/steam.nix
+    ../modules/games/minecraft.nix
+    ../modules/fonts.nix
+    ../modules/packages.nix
+    ../modules/hyprland
+    ../modules/tex.nix
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  networking.hostName = "laptop";
+
+  system.stateVersion = "23.11";
+  home-manager.users.may.home.stateVersion = "25.11";
+}
diff --git a/hosts/work.nix b/hosts/work.nix
new file mode 100644
index 0000000..3efb7fc
--- /dev/null
+++ b/hosts/work.nix
@@ -0,0 +1,17 @@
+{
+  imports = [
+    ./common.nix
+    ../modules/networking.nix
+    ../modules/bluetooth.nix
+    ../modules/fonts.nix
+    ../modules/packages.nix
+    ../modules/hyprland
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  networking.hostName = "work";
+
+  system.stateVersion = "23.11";
+  home-manager.users.may.home.stateVersion = "25.11";
+}
diff --git a/laptop.nix b/laptop.nix
deleted file mode 100644
index 55df389..0000000
--- a/laptop.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  imports = [
-    ./common.nix
-    ./modules/networking.nix
-    ./modules/bluetooth.nix
-    ./modules/steam.nix
-    ./modules/fonts.nix
-    ./modules/packages.nix
-    ./modules/hyprland
-  ];
-
-  nixpkgs.config.allowUnfree = true;
-
-  networking.hostName = "nixos-laptop";
-
-  system.stateVersion = "23.11";
-  home-manager.users.may.home.stateVersion = "25.11";
-}
diff --git a/modules/agenix.nix b/modules/agenix.nix
new file mode 100644
index 0000000..c44ede5
--- /dev/null
+++ b/modules/agenix.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+let
+  agenixSrc = builtins.fetchTarball "https://github.com/ryantm/agenix/archive/main.tar.gz";
+in {
+  imports = [
+    "${agenixSrc}/modules/age.nix"
+  ];
+
+  environment.systemPackages = [
+    (pkgs.callPackage "${agenixSrc}/pkgs/agenix.nix" { })
+  ];
+}
diff --git a/modules/users/may.nix b/modules/users/may.nix
index 443827e..f8eae56 100644
--- a/modules/users/may.nix
+++ b/modules/users/may.nix
@@ -12,18 +12,5 @@
       username = "may";
       homeDirectory = "/home/may";
     };
-
-    home.packages = with pkgs; [
-      firefox
-      chromium
-      vlc
-      spotify
-      vscode
-      jetbrains.idea
-      obs-studio
-      gh
-      jetbrains.rust-rover
-      wayvnc
-    ];
   };
 }
diff --git a/modules/wireguard-server.nix b/modules/wireguard-server.nix
new file mode 100644
index 0000000..9826bba
--- /dev/null
+++ b/modules/wireguard-server.nix
@@ -0,0 +1,56 @@
+{ config, pkgs, ... }:
+let
+  wg-key-pub-home = builtins.readFile ../secrets/wireguard/home_pub;
+in
+{
+  age.secrets.wg-server-priv.file = ../secrets/wireguard/server_priv.age;
+  age.secrets.wg-home-psk.file = ../secrets/wireguard/home_psk.age;
+
+  networking.wireguard.enable = true;
+
+  # enable NAT
+  networking.nat = {
+    enable = true;
+    enableIPv6 = false;
+    externalInterface = "eno1";
+    internalInterfaces = [ "wg0" ];
+  };
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.6.0.1/24" ];
+    listenPort = 51820;
+
+    privateKeyFile = config.age.secrets.wg-server-priv.path;
+
+
+    # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
+    # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+    postSetup = ''
+      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o eno1 -j MASQUERADE
+    '';
+
+    # This undoes the above command
+    postShutdown = ''
+      ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.6.0.0/24 -o eno1 -j MASQUERADE
+    '';
+
+    peers = [
+      {
+        name = "Home";
+        publicKey = wg-key-pub-home;
+        presharedKeyFile = config.age.secrets.wg-home-psk.path;
+        allowedIPs = [ "10.6.0.2/32" ];
+      }
+    ];
+  };
+
+  networking.firewall = {
+    allowedUDPPorts = [ 51820 ];
+  };
+
+  # Enable forwarding
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+}
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..f5d4499
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,8 @@
+let
+  desktop_may = builtins.readFile ./secrets/ssh/desktop_may_pub;
+  desktop_host = builtins.readFile ./secrets/ssh/desktop_host_pub;
+  pub_keys = [ desktop_may desktop_host ];
+in {
+  "secrets/wireguard/server_priv.age".publicKeys = pub_keys;
+  "secrets/wireguard/home_psk.age".publicKeys = pub_keys; 
+}
diff --git a/work.nix b/work.nix
deleted file mode 100644
index 77cd923..0000000
--- a/work.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{
-  imports = [
-    ./common.nix
-    ./modules/networking.nix
-    ./modules/bluetooth.nix
-    ./modules/fonts.nix
-    ./modules/packages.nix
-    ./modules/hyprland
-  ];
-
-  nixpkgs.config.allowUnfree = true;
-
-  networking.hostName = "nixos-work-laptop";
-
-  system.stateVersion = "23.11";
-  home-manager.users.may.home.stateVersion = "25.11";
-}