diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix
index 788ac69..8629f3a 100644
--- a/cluster/staging/cluster.nix
+++ b/cluster/staging/cluster.nix
@@ -34,7 +34,7 @@
       site_name = "corrin";
       publicKey = "m9rLf+233X1VColmeVrM/xfDGro5W6Gk5N0zqcf32WY=";
       IP = "10.14.3.1";
-      endpoint = "82.120.233.78:33721";
+      #endpoint = "82.120.233.78:33721";
     }
     {
       hostname = "df-pw5";
diff --git a/deploy_nixos b/deploy_nixos
index b1c9be7..48ef9ea 100755
--- a/deploy_nixos
+++ b/deploy_nixos
@@ -9,6 +9,9 @@ copy cluster/$CLUSTER/node/$NIXHOST.site.nix /etc/nixos/site.nix
 
 if [ "$CLUSTER" = "staging" ]; then
 	copy nix/nomad-driver-nix2.nix /etc/nixos/nomad-driver-nix2.nix
+
+	cmd mkdir -p /var/lib/wgautomesh
+	write_pass deuxfleurs/cluster/$CLUSTER/wgautomesh_gossip_secret /var/lib/wgautomesh/gossip_secret
 	copy nix/wgautomesh.nix /etc/nixos/wgautomesh.nix
 fi
 
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index 4de99cf..e82e3f6 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -249,6 +249,7 @@ in
       enable = true;
       interface = "wg0";
       gossipPort = 1666;
+      gossipSecretFile = "/var/lib/wgautomesh/gossip_secret";
       upnpForwardPublicPort = 
         let
           us = filter ({ hostname, ...}: hostname == config.networking.hostName) cfg.cluster_nodes;
diff --git a/nix/wgautomesh.nix b/nix/wgautomesh.nix
index 8812fb3..c09b874 100644
--- a/nix/wgautomesh.nix
+++ b/nix/wgautomesh.nix
@@ -23,6 +23,10 @@ in
         type = types.port;
         description = "wgautomesh gossip port";
       };
+      gossipSecretFile = mkOption {
+        type = types.nullOr types.str;
+        description = "File containing the gossip secret encryption key";
+      };
       lanDiscovery = mkOption {
         type = types.bool;
         default = true;
@@ -72,13 +76,16 @@ in
           ${endpointDef}
         '') cfg.peers;
       extraDefs = (if cfg.lanDiscovery then ["lan_discovery = true"] else [])
+        ++ (if (cfg.gossipSecretFile != null)
+          then [''gossip_secret_file = "${cfg.gossipSecretFile}"''] else [])
         ++ (if (cfg.upnpForwardPublicPort != null)
           then [''upnp_forward_external_port = ${toString cfg.upnpForwardPublicPort}''] else []);
       configfile = pkgs.writeText "wgautomesh.toml" ''
         interface = "${cfg.interface}"
         gossip_port = ${toString cfg.gossipPort}
+        ${concatStringsSep "\n" extraDefs}
 
-        ${concatStringsSep "\n" (extraDefs ++ peerDefs)}
+        ${concatStringsSep "\n" peerDefs}
         '';
     in {
       systemd.services.wgautomesh = {
@@ -95,7 +102,12 @@ in
           Restart = "always";
           RestartSec = "30";
 
+          ExecStartPre = [ "+${pkgs.coreutils}/bin/chown wgautomesh /var/lib/wgautomesh/gossip_secret" ];
+
           DynamicUser = true;
+          User = "wgautomesh";
+          StateDirectory = "wgautomesh";
+          StateDirectoryMode = "0700";
           AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
           CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
         };