diff --git a/hosts/astatine/secrets/wg-clerie.age b/hosts/astatine/secrets/wg-clerie.age
new file mode 100644
index 0000000..64acb96
Binary files /dev/null and b/hosts/astatine/secrets/wg-clerie.age differ
diff --git a/modules/wg-clerie/default.nix b/modules/wg-clerie/default.nix
index 8a5d649..1aea196 100644
--- a/modules/wg-clerie/default.nix
+++ b/modules/wg-clerie/default.nix
@@ -11,8 +11,8 @@ in
     services.wg-clerie = {
       enable = mkEnableOption "VPN for public static IP";
       privateKeyFile = mkOption {
-        type = types.str;
-        default = "/var/src/secrets/wireguard/wg-clerie";
+        type = with types; nullOr str;
+        default = null;
         description = "Path to file containing private key for wireguard interface";
       };
       ipv6s = mkOption {
@@ -49,7 +49,7 @@ in
     networking.wireguard.enable = true;
     networking.wireguard.interfaces = {
       wg-clerie = {
-        inherit (cfg) privateKeyFile;
+        privateKeyFile = if cfg.privateKeyFile == null then config.age.secrets.wg-clerie.path else cfg.privateKeyFile;
         ips = cfg.ipv6s ++ cfg.ipv4s;
         table = "wg-clerie";
         peers = [