diff --git a/machines/agb02/_configuration.nix b/machines/agb02/_configuration.nix
index 630c830..dcf74bb 100644
--- a/machines/agb02/_configuration.nix
+++ b/machines/agb02/_configuration.nix
@@ -3,6 +3,8 @@
 {
   imports = [
     "${modulesPath}/installer/sd-card/sd-image-aarch64.nix"
+    ./secrets
+    ./networking.nix
     ./users.nix
   ];
   sdImage.compressImage = false;
diff --git a/machines/agb02/networking.nix b/machines/agb02/networking.nix
new file mode 100644
index 0000000..1d76ef2
--- /dev/null
+++ b/machines/agb02/networking.nix
@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  systemd.network = {
+    enable = true;
+
+    networks = {
+      "50-wg0" = {
+        name = "wg0";
+        address = [
+          "10.10.10.6/24"
+        ];
+      };
+    };
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path;
+
+        wireguardPeers = [
+          {
+            AllowedIPs = [
+              "10.10.10.0/24"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub);
+            Endpoint = "129.199.129.76:1194";
+            PersistentKeepalive = 5;
+          }
+        ];
+      };
+    };
+  };
+  networking = {
+    nameservers = [
+      "2620:fe::fe"
+      "2620:fe::9"
+      "9.9.9.9"
+      "149.112.112.112"
+    ];
+  };
+}
diff --git a/machines/agb02/secrets/default.nix b/machines/agb02/secrets/default.nix
new file mode 100644
index 0000000..14efc4b
--- /dev/null
+++ b/machines/agb02/secrets/default.nix
@@ -0,0 +1,11 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  age.secrets."wg" = {
+    file = ./wg.age;
+    owner = "systemd-network";
+  };
+}
diff --git a/machines/agb02/secrets/secrets.nix b/machines/agb02/secrets/secrets.nix
new file mode 100644
index 0000000..c9744b6
--- /dev/null
+++ b/machines/agb02/secrets/secrets.nix
@@ -0,0 +1,8 @@
+let
+  lib = (import <nixpkgs> {}).lib;
+  readPubkeys = user:
+    builtins.filter (k: k != "") (lib.splitString "\n"
+      (builtins.readFile (../../../pubkeys + "/${user}.keys")));
+in {
+  "wg.age".publicKeys = (readPubkeys "catvayor") ++ (readPubkeys "sinavir") ++ (readPubkeys "agb02");
+}
diff --git a/machines/agb02/secrets/wg.age b/machines/agb02/secrets/wg.age
new file mode 100644
index 0000000..4f2fdd2
Binary files /dev/null and b/machines/agb02/secrets/wg.age differ
diff --git a/machines/hackens-org/wireguard.nix b/machines/hackens-org/wireguard.nix
index 816eb86..d2181fb 100644
--- a/machines/hackens-org/wireguard.nix
+++ b/machines/hackens-org/wireguard.nix
@@ -51,11 +51,18 @@
             PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-milieu.pub);
           }
           {
-            # bakham (AGB)
+            # agb01
             AllowedIPs = [
               "10.10.10.5/32"
             ];
-            PublicKey = "JpUHFiavhlQfiHfOdUffQP3HLLeStttheACCaqlXAF8=";
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/agb01.pub);
+          }
+          {
+            # agb02
+            AllowedIPs = [
+              "10.10.10.6/32"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/agb02.pub);
           }
           {
             # soyouzpanda
diff --git a/pubkeys/agb02.keys b/pubkeys/agb02.keys
new file mode 100644
index 0000000..99caeab
--- /dev/null
+++ b/pubkeys/agb02.keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9857OPKpc9JfsoXSFXjV5gFIU60vWLRkMncYrgDyj3 root@agb02
diff --git a/wg-keys/agb02.pub b/wg-keys/agb02.pub
new file mode 100644
index 0000000..7264fc0
--- /dev/null
+++ b/wg-keys/agb02.pub
@@ -0,0 +1 @@
+CGdgPLO9HbrOawLJFl8YENbf55ECZSVQp5JBlRjokCA=