diff --git a/hosts/router/wireguard.nix b/hosts/router/wireguard.nix
index 61252d4..97d7837 100644
--- a/hosts/router/wireguard.nix
+++ b/hosts/router/wireguard.nix
@@ -28,14 +28,18 @@ in
     mapPeer = name: peer: {
       name = peerSecretName name;
       value.encrypted.file = ./secrets/wireguard/${peerSecretName name}.age;
-      value.decrypted.user = "systemd-network";
-      value.decrypted.group = "systemd-network";
     };
     peerSecrets = lib.attrsets.mapAttrs' mapPeer pskPeers;
-  in
-  {
-    wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
-  } // peerSecrets;
+
+    allSecrets = {
+      wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age;
+    } // peerSecrets;
+
+    setSecretOwnership = name: value: value // {
+      decrypted.user = "systemd-network";
+      decrypted.group = "systemd-network";
+    };
+  in lib.attrsets.mapAttrs setSecretOwnership allSecrets;
 
   systemd.network.netdevs = {
     "10-wg0" = {