diff --git a/hosts/zinc/configuration.nix b/hosts/zinc/configuration.nix
index 37f2827..7d8f850 100644
--- a/hosts/zinc/configuration.nix
+++ b/hosts/zinc/configuration.nix
@@ -22,7 +22,7 @@
   boot.initrd.network.ssh = {
     enable = true;
     port = 1022;
-    shell = "/bin/cryptsetup-askpass";
+    #shell = "/bin/cryptsetup-askpass";
     authorizedKeys = config.users.users.clerie.openssh.authorizedKeys.keys;
     hostKeys = [
       "/var/src/secrets/initrd/ssh_host_ed25519_key"
@@ -31,6 +31,13 @@
   boot.initrd.kernelModules = [ "igc" ];
   boot.kernelParams = [ "ip=dhcp" ];
 
+  boot.initrd.network.wireguard = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8110/128" ];
+    ipv4s = [ "10.20.30.110/32" ];
+    privateKeyFile = "/var/src/secrets/wireguard/wg-initrd";
+  };
+
   networking.hostName = "zinc";
 
   services.wg-clerie = {
diff --git a/modules/default.nix b/modules/default.nix
index 4e3c341..8271876 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -15,5 +15,6 @@
     ./nixfiles
     ./update-from-hydra
     ./wg-clerie
+    ./wireguard-initrd
   ];
 }
diff --git a/modules/wireguard-initrd/default.nix b/modules/wireguard-initrd/default.nix
new file mode 100644
index 0000000..6c1afb3
--- /dev/null
+++ b/modules/wireguard-initrd/default.nix
@@ -0,0 +1,98 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.boot.initrd.network.wireguard;
+in
+
+{
+  options = {
+    boot.initrd.network.wireguard = {
+      enable = mkEnableOption "Wireguard in initrd";
+      privateKeyFile = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        description = "Path to file containing private key for wireguard interface";
+      };
+      ipv6s = mkOption {
+        type = with types; listOf str;
+        default = [];
+        description = "IPv6 interface addresses";
+      };
+      ipv4s = mkOption {
+        type = with types; listOf str;
+        default = [];
+        description = "IPv4 interface addresses";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot.initrd.kernelModules = [ "wireguard" ];
+
+    boot.initrd.extraUtilsCommands = ''
+      for BIN in ${pkgs.iproute2}/bin/*; do
+        copy_bin_and_libs $BIN
+      done
+      [ -f "$out/bin/wg" ] && rm "$out/bin/wg"
+      cp -pdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
+    '';
+
+    boot.initrd.network.postCommands = ''
+      ip link add dev "wg-initrd" type wireguard
+
+      ${concatMapStringsSep "\n" (ip: ''
+        ip address add "${ip}" dev "wg-initrd"
+      '') cfg.ipv6s}
+      ${concatMapStringsSep "\n" (ip: ''
+        ip address add "${ip}" dev "wg-initrd"
+      '') cfg.ipv4s}
+
+      wg set "wg-initrd" private-key "/var/src/secrets/wireguard/wg-initrd"
+
+      ip link set up "wg-initrd"
+
+      wg set "wg-initrd" peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" \
+        endpoint "$(ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null && echo '[2a01:4f8:c0c:15f1::1]:51820' || echo '78.47.183.82:51820')" \
+        persistent-keepalive "25" \
+        allowed-ips "0.0.0.0/0,::/0,10.20.30.0/24,2a01:4f8:c0c:15f1::/113"
+
+      ip route add "::/0" dev "wg-initrd" table 1337
+      ip route add "0.0.0.0/0" dev "wg-initrd" table 1337
+
+
+      ${concatMapStringsSep "\n" (ip: ''
+        ip -6 rule add from "${ip}" lookup 1337 prio 19000
+        ip -6 rule add from "${ip}" unreachable prio 19001
+      '') cfg.ipv6s}
+      ip -6 rule add from "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 lookup main prio 20000
+      ip -6 rule add from "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 unreachable prio 20001
+      ip -6 rule add lookup main prio 21000
+      ip -6 rule add lookup 1337 prio 21001
+      ip -6 rule add unreachable prio 21000
+
+
+      ${concatMapStringsSep "\n" (ip: ''
+        ip -4 rule add from "${ip}" lookup 1337 prio 19000
+        ip -4 rule add from "${ip}" unreachable prio 19001
+      '') cfg.ipv4s}
+      ip -4 rule add from "78.47.183.82/32" ipproto udp dport 51820 lookup main prio 20000
+      ip -4 rule add from "78.47.183.82/32" ipproto udp dport 51820 unreachable prio 20001
+      ip -4 rule add lookup main prio 21000
+      ip -4 rule add lookup 1337 prio 21001
+      ip -4 rule add unreachable prio 21000
+    '';
+
+    boot.initrd.postMountCommands = ''
+      ip link del dev "wg-initrd"
+
+      ip -6 rule flush
+      ip -4 rule flush
+    '';
+
+    boot.initrd.secrets = {
+      "/var/src/secrets/wireguard/wg-initrd" = if cfg.privateKeyFile == null then config.age.secrets.wg-clerie.path else cfg.privateKeyFile;
+    };
+  };
+}