diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix
index db20a13..8e27f00 100644
--- a/hosts/thrall/default.nix
+++ b/hosts/thrall/default.nix
@@ -31,6 +31,11 @@
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
 
+  age.secrets = {
+    mailPass.file = ../../secrets/mailPass.age;
+    wireguard-thrall.file = ../../secrets/wireguard-thrall.age;
+  };
+
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
@@ -141,10 +146,6 @@
     };
   };
 
-  age.secrets = {
-    mailPass.file = ../../secrets/mailPass.age;
-  };
-  
   mailserver = {
     enable = true;
     fqdn = "thrall.failco.de";
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 7774e2e..0d7b55f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,4 +6,5 @@ let
 in
 {
   "mailPass.age".publicKeys = users ++ systems;
+  "wireguard-thrall.age".publicKeys = [thrall];
 }
diff --git a/secrets/wireguard-thrall.age b/secrets/wireguard-thrall.age
new file mode 100644
index 0000000..0d47da5
Binary files /dev/null and b/secrets/wireguard-thrall.age differ