diff --git a/.sops.yaml b/.sops.yaml
index 2d389af..4bd7976 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -60,6 +60,11 @@ creation_rules:
       - age:
         - *admin_torjus
         - *server_nix-cache01
+  - path_regex: secrets/http-proxy/.+
+    key_groups:
+      - age:
+        - *admin_torjus
+        - *server_http-proxy
   - path_regex: secrets/auth01/[^/]+\.(yaml|json|env|ini|)
     key_groups:
       - age:
diff --git a/hosts/http-proxy/default.nix b/hosts/http-proxy/default.nix
index b93da7b..3596547 100644
--- a/hosts/http-proxy/default.nix
+++ b/hosts/http-proxy/default.nix
@@ -3,5 +3,6 @@
   imports = [
     ./configuration.nix
     ../../services/http-proxy
+    ./wireguard.nix
   ];
 }
diff --git a/hosts/http-proxy/wireguard.nix b/hosts/http-proxy/wireguard.nix
new file mode 100644
index 0000000..29a3b02
--- /dev/null
+++ b/hosts/http-proxy/wireguard.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  sops.secrets.wireguard_private_key = {
+    sopsFile = ../../secrets/http-proxy/wireguard.yaml;
+    key = "wg_private_key";
+  };
+  networking.wireguard = {
+    enable = true;
+
+    interfaces = {
+      wg0 = {
+        ips = [ "10.69.222.2/24" ];
+        listenPort = 51820;
+        privateKeyFile = config.sops.secrets.wireguard_private_key.path;
+        peers = [
+          {
+            publicKey = "32Rb13wExcy8uI92JTnFdiOfkv0mlQ6f181WA741DHs=";
+            allowedIPs = [ "10.69.222.0/24" ];
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/secrets/http-proxy/wireguard.yaml b/secrets/http-proxy/wireguard.yaml
new file mode 100644
index 0000000..bdcaa39
--- /dev/null
+++ b/secrets/http-proxy/wireguard.yaml
@@ -0,0 +1,25 @@
+wg_private_key: ENC[AES256_GCM,data:DlC9txcLkTnb7FoEd249oJV/Ehcp50P8uulbE4rY/xU16fkTlnKvPmYZ7u8=,iv:IsiTzdrh+BNSVgx1mfjpMGNV2J0c88q6AoP0kHX2aGY=,tag:OqFsOIyE71SBD1mcNS/PeQ==,type:str]
+sops:
+    age:
+        - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdm9HTTN1amwxQ2Z6MUQv
+            dGJ0cEgyaHNOZWtWSWlXNXc5bGhUdSsvVlVzCkJkc3ZQdzlBNDNxb3Avdi96bXFt
+            TExZY29nUDI3RE5vanh6TVBRME1Fa1UKLS0tIG8vSHdCYzkvWmJpd0hNbnRtUmtk
+            aVcwaFJJclZ3YUlUTTNwR2VESmVyZWMKHvKUJBDuNCqacEcRlapetCXHKRb0Js09
+            sqxLfEDwiN2LQQjYHZOmnMfCOt/b2rwXVKEHdTcIsXbdIdKOJwuAIQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEeU01UTc2V1UyZXRadE5I
+            VE1aakVZUEZUNnJxbzJ1K3J1R3ZQdFdMbUhBCjZBMDM3ZkYvQWlyNHBtaDZRWkd4
+            VzY0L3l4N2RNZjJRTDJWZTZyZVhHbW8KLS0tIGVNZ0N0emVmaVRCV09jNmVKRlla
+            cWVSNkJqWHh5c21KcWFac2FlZTVaMTAK1UvfPgZAZYtwiONKIAo5HlaDpN+UT/S/
+            JfPUfjxgRQid8P20Eh/jUepxrDY8iXRZdsUMON+OoQ8mpwoAh5eN1A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-15T18:56:55Z"
+    mac: ENC[AES256_GCM,data:J2kHY7pXBJZ0UuNCZOhkU11M8rDqCYNzY71NyuDRmzzRCC9ZiNIbavyQAWj2Dpk1pjGsYjXsVoZvP7ti1wTFqahpaR/YWI5gmphrzAe32b9qFVEWTC3YTnmItnY0YxQZYehYghspBjnJtfUK0BvZxSb17egpoFnvHmAq+u5dyxg=,iv:/aLg02RLuJZ1bRzZfOD74pJuE7gppCBztQvUEt557mU=,tag:toxHHBuv3WRblyc9Sth6Iw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2