diff --git a/deploy.sh b/deploy.sh
index d1fb417..70c2ea5 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -41,6 +41,7 @@ for NIXHOST in $NIXHOSTLIST; do
 	cat nix/configuration.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null
 	cat nix/deuxfleurs.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/deuxfleurs.nix > /dev/null
 	cat nix/remote-unlock.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/remote-unlock.nix > /dev/null
+	cat nix/wesher.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/wesher.nix > /dev/null
 	cat cluster/$CLUSTER/cluster.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/cluster.nix > /dev/null
 	cat cluster/$CLUSTER/node/$NIXHOST.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/node.nix > /dev/null
 	cat cluster/$CLUSTER/node/$NIXHOST.site.nix | ssh -F $SSH_CONFIG $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
@@ -58,7 +59,7 @@ for NIXHOST in $NIXHOSTLIST; do
 set -ex
 
 cd $TMP_PATH
-mv deuxfleurs.nix remote-unlock.nix configuration.nix cluster.nix node.nix site.nix /etc/nixos
+mv deuxfleurs.nix remote-unlock.nix wesher.nix configuration.nix cluster.nix node.nix site.nix /etc/nixos
 
 nixos-rebuild switch
 
diff --git a/nix/configuration.nix b/nix/configuration.nix
index 7e32a8d..bc4edd5 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -24,6 +24,10 @@
   # replicates the default behaviour.
   networking.useDHCP = false;
 
+  nixpkgs.overlays = [
+    (import ./wesher.nix)
+  ];
+
   # Set your time zone.
   time.timeZone = "Europe/Paris";
 
@@ -63,6 +67,7 @@ SystemMaxUse=1G
     rclone
     docker
     docker-compose
+    wesher
   ];
 
   programs.vim.defaultEditor = true;
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index a860a36..7772f0e 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -106,18 +106,18 @@ in
     }) cfg.admin_accounts;
 
     # Configure network interfaces
-    networking.interfaces = attrsets.setAttrByPath [ config.deuxfleurs.network_interface ] {
+    networking.interfaces = attrsets.setAttrByPath [ cfg.network_interface ] {
       useDHCP = false;
       ipv4.addresses = [
         {
-          address = config.deuxfleurs.lan_ip;
-          prefixLength = config.deuxfleurs.lan_ip_prefix_length;
+          address = cfg.lan_ip;
+          prefixLength = cfg.lan_ip_prefix_length;
         }
       ];
     };
     networking.defaultGateway = {
-      address = config.deuxfleurs.lan_default_gateway;
-      interface = config.deuxfleurs.network_interface;
+      address = cfg.lan_default_gateway;
+      interface = cfg.network_interface;
     };
 
     # Configure Wireguard VPN between all nodes
@@ -128,7 +128,7 @@ in
       peers = map ({ publicKey, endpoint, IP, site_name, lan_endpoint, ... }: {
         publicKey = publicKey;
         allowedIPs = [ "${IP}/32" ];
-        endpoint = if site_name != null && site_name == config.deuxfleurs.site_name && lan_endpoint != null
+        endpoint = if site_name != null && site_name == cfg.site_name && lan_endpoint != null
                    then lan_endpoint else endpoint;
         persistentKeepalive = 25;
       }) (cfg.cluster_nodes ++ cfg.admin_nodes);
diff --git a/nix/wesher.nix b/nix/wesher.nix
new file mode 100644
index 0000000..81be055
--- /dev/null
+++ b/nix/wesher.nix
@@ -0,0 +1,23 @@
+pkgs:
+pkgs.buildGoModule rec {
+  pname = "wesher";
+  version = "0.2.6";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "costela";
+    repo = "wesher";
+    rev = "v${version}";
+    sha256 = "1fnclr556avxay6pvgw5ya3xbxfnf2gv4njq2hr4fd6fcjyslq5h";
+  };
+
+  vendorSha256 = null;
+
+  checkPhase = "true";
+
+  meta = with pkgs.lib; {
+    description = "wireguard overlay mesh network manager";
+    homepage = "https://github.com/costela/wesher";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+  };
+}