diff --git a/config/framework13-system.org b/config/framework13-system.org
index aaf049e..bb5aaf5 100644
--- a/config/framework13-system.org
+++ b/config/framework13-system.org
@@ -229,12 +229,21 @@ use dovecot for local IMAP
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
 -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
--A INPUT -p udp -m udp --dport 51820 -j ACCEPT
--A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+#+end_src
+SMB
+#+BEGIN_SRC scheme
 -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT
 -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
+#+end_src
+wireguard
+#+BEGIN_SRC scheme
+-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
+-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+   #+end_src
+
+#+BEGIN_SRC scheme
 -A INPUT -j REJECT --reject-with icmp-port-unreachable
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 COMMIT
@@ -247,12 +256,21 @@ COMMIT
 -A INPUT -p tcp --dport 22 -j ACCEPT
 -A INPUT -p tcp --dport 993 -j ACCEPT
 -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
--A INPUT -p udp -m udp --dport 51820 -j ACCEPT
--A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+   #+end_src
+SMB
+#+BEGIN_SRC scheme
 -A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 137 -j ACCEPT
 -A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 138 -j ACCEPT
--A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
--A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp -s fd24:609a:6c18::/64 --dport 139 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp -s fd24:609a:6c18::/64 --dport 445 -j ACCEPT
+   #+end_src
+wireguard
+#+BEGIN_SRC scheme
+-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
+-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+      #+end_src
+
+#+BEGIN_SRC scheme
 -A INPUT -j REJECT --reject-with icmp6-port-unreachable
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 COMMIT
@@ -267,6 +285,7 @@ details can be found (and mostly ignored) in  [[https://guix.gnu.org/cookbook/en
                (service wireguard-service-type
                    (wireguard-configuration
                      (addresses '("10.0.0.23" "fd24:609a:6c18::23"))
+                     (private-key "/etc/wireguard/private.key")
                      (port 51820)
                      (peers
                       (list
diff --git a/config/framework13-system.scm b/config/framework13-system.scm
index b85bdf6..54451a5 100644
--- a/config/framework13-system.scm
+++ b/config/framework13-system.scm
@@ -1,6 +1,6 @@
 ;; -*- mode: scheme;  coding: utf-8; -*-
 ;;
-;; tangled from framework13-system.org on 2024-01-23 20:36:10+01:00)
+;; tangled from framework13-system.org on 2024-01-24 15:26:24+01:00)
 
 (use-modules (gnu)
              (gnu packages)
@@ -133,12 +133,15 @@
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
 -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
--A INPUT -p udp -m udp --dport 51820 -j ACCEPT
--A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
 -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137 -j ACCEPT
 -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 138 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
+
+-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
+-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
 -A INPUT -j REJECT --reject-with icmp-port-unreachable
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 COMMIT
@@ -151,12 +154,15 @@ COMMIT
 -A INPUT -p tcp --dport 22 -j ACCEPT
 -A INPUT -p tcp --dport 993 -j ACCEPT
 -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
--A INPUT -p udp -m udp --dport 51820 -j ACCEPT
--A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
 -A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 137 -j ACCEPT
 -A INPUT -p udp -m udp -s fd24:609a:6c18::/64 --dport 138 -j ACCEPT
--A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 139 -j ACCEPT
--A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/16 --dport 445 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp -s fd24:609a:6c18::/64 --dport 139 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp -s fd24:609a:6c18::/64 --dport 445 -j ACCEPT
+
+-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
+-A INPUT -i wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
 -A INPUT -j REJECT --reject-with icmp6-port-unreachable
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 COMMIT
@@ -165,6 +171,7 @@ COMMIT
                (service wireguard-service-type
                    (wireguard-configuration
                      (addresses '("10.0.0.23" "fd24:609a:6c18::23"))
+                     (private-key "/etc/wireguard/private.key")
                      (port 51820)
                      (peers
                       (list