diff --git a/home/.chezmoi.yaml b/home/.chezmoi.yaml
new file mode 100644
index 00000000..6ec9d5ea
--- /dev/null
+++ b/home/.chezmoi.yaml
@@ -0,0 +1,2 @@
+secret:
+  command: "cat"
diff --git a/home/private_dot_wireguardd/adjudicator.conf.tmpl b/home/private_dot_wireguardd/adjudicator.conf.tmpl
new file mode 100644
index 00000000..64ccab89
--- /dev/null
+++ b/home/private_dot_wireguardd/adjudicator.conf.tmpl
@@ -0,0 +1,11 @@
+[Interface]
+# your own IP on the wireguard network
+Address = 192.168.3.2/24
+PrivateKey = {{ (secret "/run/secrets/wireguard/adjudicator") }}
+
+[Peer]
+PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
+# restrict this to the wireguard subnet if you don't want to route everything to the tunnel
+AllowedIPs = 0.0.0.0/0, ::/0
+# ip and port of the peer
+Endpoint = 66.218.43.87:51820
diff --git a/home/private_dot_wireguardd/bulwark.conf.tmpl b/home/private_dot_wireguardd/bulwark.conf.tmpl
new file mode 100644
index 00000000..0f735083
--- /dev/null
+++ b/home/private_dot_wireguardd/bulwark.conf.tmpl
@@ -0,0 +1,11 @@
+[Interface]
+# your own IP on the wireguard network
+Address = 192.168.3.4/24
+PrivateKey = {{ (secret "/run/secrets/wireguard/bulwark") }}
+
+[Peer]
+PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ=
+# restrict this to the wireguard subnet if you don't want to route everything to the tunnel
+AllowedIPs = 0.0.0.0/0, ::/0
+# ip and port of the peer
+Endpoint = 66.218.43.87:51820