diff --git a/common/secrets.nix b/common/secrets.nix
index 64d8b3f..a316be5 100644
--- a/common/secrets.nix
+++ b/common/secrets.nix
@@ -14,26 +14,6 @@
         group = config.users.users.root.group;
         neededForUsers = true;
       };
-      "wireguard/psk/skipper" = {
-        mode = "400";
-        owner = config.users.users.root.name;
-        group = config.users.users.root.group;
-      };
-      "wireguard/psk/rico0" = {
-        mode = "400";
-        owner = config.users.users.root.name;
-        group = config.users.users.root.group;
-      };
-      "wireguard/psk/rico1" = {
-        mode = "400";
-        owner = config.users.users.root.name;
-        group = config.users.users.root.group;
-      };
-      "wireguard/psk/rico2" = {
-        mode = "400";
-        owner = config.users.users.root.name;
-        group = config.users.users.root.group;
-      };
     };
   };
 }
diff --git a/hosts/rico0/wireguard.nix b/hosts/rico0/wireguard.nix
index 5bccef8..8156ff0 100644
--- a/hosts/rico0/wireguard.nix
+++ b/hosts/rico0/wireguard.nix
@@ -1,4 +1,10 @@
 { config, ... }: {
+  sops.secrets."wireguard/psk/rico0" = {
+    mode = "400";
+    owner = config.users.users.root.name;
+    group = config.users.users.root.group;
+  };
+
   networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.wireguard = {
     enable = true;
diff --git a/hosts/rico1/wireguard.nix b/hosts/rico1/wireguard.nix
index 2c13328..759434f 100644
--- a/hosts/rico1/wireguard.nix
+++ b/hosts/rico1/wireguard.nix
@@ -1,4 +1,10 @@
 { config, ... }: {
+  sops.secrets."wireguard/psk/rico1" = {
+    mode = "400";
+    owner = config.users.users.root.name;
+    group = config.users.users.root.group;
+  };
+
   networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.wireguard = {
     enable = true;
diff --git a/hosts/rico2/wireguard.nix b/hosts/rico2/wireguard.nix
index 2967754..b59587d 100644
--- a/hosts/rico2/wireguard.nix
+++ b/hosts/rico2/wireguard.nix
@@ -1,4 +1,9 @@
 { config, ... }: {
+  sops.secrets."wireguard/psk/rico2" = {
+    mode = "400";
+    owner = config.users.users.root.name;
+    group = config.users.users.root.group;
+  };
   networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.wireguard = {
     enable = true;
diff --git a/hosts/skipper/wireguard.nix b/hosts/skipper/wireguard.nix
index f42ce02..fd05840 100644
--- a/hosts/skipper/wireguard.nix
+++ b/hosts/skipper/wireguard.nix
@@ -1,4 +1,9 @@
 { config, ... }: {
+  sops.secrets."wireguard/psk/skipper" = {
+    mode = "400";
+    owner = config.users.users.root.name;
+    group = config.users.users.root.group;
+  };
   networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.wireguard = {
     enable = true;