diff --git a/hosts/astatine/configuration.nix b/hosts/astatine/configuration.nix
index e7b1ac9..0b4ca09 100644
--- a/hosts/astatine/configuration.nix
+++ b/hosts/astatine/configuration.nix
@@ -26,39 +26,10 @@
 
   networking.firewall.enable = false;
 
-  networking.iproute2.enable = true;
-  networking.iproute2.rttablesExtraConfig = ''
-    200 wg-clerie
-  '';
-
-  petabyte.policyrouting = {
+  services.wg-clerie = {
     enable = true;
-    rules6 = [
-      { rule = "from 2a01:4f8:c0c:15f1::8108/128 lookup wg-clerie"; prio = 20000; }
-      { rule = "from 2a01:4f8:c0c:15f1::8108/128 unreachable"; prio = 20001; }
-    ];
-    rules4 = [
-      { rule = "from 10.20.30.108/32 lookup wg-clerie"; prio = 20000; }
-      { rule = "from 10.20.30.108/32 unreachable"; prio = 20001; }
-    ];
-  };
-
-
-  networking.wireguard.enable = true;
-  networking.wireguard.interfaces = {
-    wg-clerie = {
-      ips = [ "2a01:4f8:c0c:15f1::8108/128" "10.20.30.108/32" ];
-      table = "wg-clerie";
-      peers = [
-        {
-          endpoint = "vpn.clerie.de:51820";
-          persistentKeepalive = 25;
-          allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
-          publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
-        }
-      ];
-      privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
-    };
+    ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
+    ipv4s = [ "10.20.30.108/32" ];
   };
 
   clerie.monitoring = {
diff --git a/modules/default.nix b/modules/default.nix
index f885432..7366779 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -11,5 +11,6 @@
     ./monitoring
     ./nginx-port-forward
     ./nixfiles
+    ./wg-clerie
   ];
 }
diff --git a/modules/wg-clerie/default.nix b/modules/wg-clerie/default.nix
new file mode 100644
index 0000000..8a5d649
--- /dev/null
+++ b/modules/wg-clerie/default.nix
@@ -0,0 +1,67 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.wg-clerie;
+in
+
+{
+  options = {
+    services.wg-clerie = {
+      enable = mkEnableOption "VPN for public static IP";
+      privateKeyFile = mkOption {
+        type = types.str;
+        default = "/var/src/secrets/wireguard/wg-clerie";
+        description = "Path to file containing private key for wireguard interface";
+      };
+      ipv6s = mkOption {
+        type = with types; listOf str;
+        default = [];
+        description = "IPv6 interface addresses";
+      };
+      ipv4s = mkOption {
+        type = with types; listOf str;
+        default = [];
+        description = "IPv4 interface addresses";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.iproute2.enable = true;
+    networking.iproute2.rttablesExtraConfig = ''
+      200 wg-clerie
+    '';
+
+    petabyte.policyrouting = {
+      enable = true;
+      rules6 = concatMap (ip: [
+        { rule = "from ${ip} lookup wg-clerie"; prio = 20000; }
+        { rule = "from ${ip} unreachable"; prio = 20001; }
+      ]) cfg.ipv6s;
+      rules4 = concatMap (ip: [
+        { rule = "from ${ip} lookup wg-clerie"; prio = 20000; }
+        { rule = "from ${ip} unreachable"; prio = 20001; }
+      ]) cfg.ipv4s;
+    };
+
+    networking.wireguard.enable = true;
+    networking.wireguard.interfaces = {
+      wg-clerie = {
+        inherit (cfg) privateKeyFile;
+        ips = cfg.ipv6s ++ cfg.ipv4s;
+        table = "wg-clerie";
+        peers = [
+          {
+            endpoint = "vpn.clerie.de:51820";
+            persistentKeepalive = 25;
+            dynamicEndpointRefreshSeconds = 5;
+            allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
+            publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
+          }
+        ];
+      };
+    };
+  };
+}