diff --git a/nix/nixos-module/container/anon.nix b/nix/nixos-module/container/anon.nix
index 5651a86..d6db007 100644
--- a/nix/nixos-module/container/anon.nix
+++ b/nix/nixos-module/container/anon.nix
@@ -1,4 +1,4 @@
-{ hostName, config, lib, ... }:
+{ hostName, config, lib, pkgs, ... }:
 
 let
   tunnels = lib.filterAttrs (_: wireguard:
@@ -9,29 +9,57 @@ let
     then builtins.head (builtins.attrNames tunnels)
     else null;
   enabled = firstTunnel != null;
+  privateKeyFile = ifName:
+    "/run/wireguard-keys/${ifName}.key";
 in
 {
+  systemd.services = builtins.foldl' (services: ifName: services // {
+    "wireguard-key-${ifName}" = {
+      description = "Create key file for wireguard interface '${ifName}'";
+      requiredBy = [ "systemd-networkd.service" ];
+      script = ''
+        #! ${pkgs.runtimeShell} -e
+
+        F=${privateKeyFile ifName}
+        mkdir -p -m 0700 $(dirname $F)
+        chown systemd-network:systemd-network $(dirname $F)
+        rm -f $F
+        cat >$F <<EOF
+        ${tunnels.${ifName}.privateKey}
+        EOF
+        chmod 0400 $F
+        chown systemd-network:systemd-network $F
+      '';
+    };
+  }) {} (builtins.attrNames tunnels);
+
+  environment.systemPackages = lib.optionals enabled [
+    pkgs.wireguard-tools
+  ];
+
   systemd.network.netdevs = builtins.mapAttrs (ifName: wireguard: {
     netdevConfig = {
       Name = ifName;
       Kind = "wireguard";
     };
-    wireguardConfig.PrivateKeyFile = builtins.toFile "${hostName}-wireguard-${ifName}-key" wireguard.privateKey;
+    wireguardConfig.PrivateKeyFile = privateKeyFile ifName;
     wireguardPeers = [ {
       wireguardPeerConfig = {
         PublicKey = wireguard.publicKey;
         Endpoint = wireguard.endpoint;
+        AllowedIPs = "0.0.0.0/0, ::/0";
       };
     } ];
   }) tunnels;
-  # TODO: qdisc
-  
+  # TODO: qdisc from upstream pillar
+
   systemd.network.networks = builtins.mapAttrs (ifName: wireguard: {
-    matchConfig.name = ifName;
+    matchConfig.Name = ifName;
     addresses = map (addr: {
       addressConfig.Address = addr;
     }) wireguard.addresses;
   }) tunnels;
+  # TODO: gw4, gw6
 
   networking.nat = lib.optionalAttrs (firstTunnel != null) {
     enable = true;