diff --git a/defaults/base/default.nix b/defaults/base/default.nix
index eba4c1f..e9dad02 100644
--- a/defaults/base/default.nix
+++ b/defaults/base/default.nix
@@ -4,6 +4,8 @@
 {
   imports = [ ../../modules ];
 
+  nixpkgs.overlays = [(import ../../overlays)];
+
   system.autoUpgrade.enable = true;
   system.autoUpgrade.allowReboot = false;
 
diff --git a/host/montalin/applications/vpn.nix b/host/montalin/applications/vpn.nix
index 6d432f4..49d8bff 100644
--- a/host/montalin/applications/vpn.nix
+++ b/host/montalin/applications/vpn.nix
@@ -3,38 +3,9 @@ let
   meta = import ../../../meta;
   network = meta.network.virtual;
   networkName = "mgmt";
-  networkConfig = network.${networkName};
-  hostName = config.networking.hostName;
 in {
   networking.wireguard.enable = true;
   networking.wireguard.interfaces = {
-    "wg-${networkName}" = {
-      ips = [
-        "${networkConfig.hosts.${hostName}.v4.ip}/${
-          toString networkConfig.v4.bitmask
-        }"
-      ];
-      privateKeyFile = "/secrets/wireguard/private/${networkName}";
-      generatePrivateKeyFile = true;
-
-      peers = let
-        mapHostToPeerConfig = (host: netconf: {
-
-          # Generate the preshared key with wg genpsk
-          presharedKeyFile =
-            "/secrets/wireguard/preshared/${networkName}-${host}";
-          publicKey = netconf.publicKey;
-
-          endpoint = netconf.endpoint;
-
-          allowedIPs = [ netconf.v4.ip ];
-          persistantKeepalive = netconf.persistentKeepalive;
-        });
-        reachablePeerHosts = lib.filterAttrs (host: netconf:
-          host != hostName
-          && (netconf.endpoint != null || networkConfig.server == hostName))
-          networkConfig.hosts;
-      in lib.mapAttrsToList mapHostToPeerConfig reachablePeerHosts;
-    };
+    "wg-${networkName}" = pkgs.lib.qois.wireguard.makeInterface config.networking.hostName networkName network.${networkName};
   };
 }
diff --git a/lib/default.nix b/lib/default.nix
new file mode 100644
index 0000000..c3e7e08
--- /dev/null
+++ b/lib/default.nix
@@ -0,0 +1 @@
+{ lib }: rec { wireguard = import ./wireguard.nix { lib = lib; }; }
diff --git a/lib/wireguard.nix b/lib/wireguard.nix
new file mode 100644
index 0000000..0113ca0
--- /dev/null
+++ b/lib/wireguard.nix
@@ -0,0 +1,29 @@
+{ lib }: rec {
+
+  mapHostToPeerConfig = (netname: host: hostconf: {
+
+    # Generate the preshared key with wg genpsk
+    presharedKeyFile = "/secrets/wireguard/preshared/${netname}-${host}";
+    publicKey = hostconf.publicKey;
+
+    endpoint = hostconf.endpoint;
+
+    allowedIPs = [ hostconf.v4.ip ];
+    persistantKeepalive = hostconf.persistentKeepalive;
+  });
+
+  makeInterface = (hostName: netname: netconfig: {
+    ips = [
+      "${netconfig.hosts.${hostName}.v4.ip}/${toString netconfig.v4.bitmask}"
+    ];
+    privateKeyFile = "/secrets/wireguard/private/${netname}";
+    generatePrivateKeyFile = true;
+
+    peers = let
+      reachablePeerHosts = lib.filterAttrs (host: hostconf:
+        host != hostName
+        && (hostconf.endpoint != null || netconfig.server == hostName))
+        netconfig.hosts;
+    in lib.mapAttrsToList (mapHostToPeerConfig netname) reachablePeerHosts;
+  });
+}
diff --git a/overlays/default.nix b/overlays/default.nix
new file mode 100644
index 0000000..1ffdb20
--- /dev/null
+++ b/overlays/default.nix
@@ -0,0 +1,3 @@
+self: super: {
+  lib = (super.lib or { }) // { qois = import ../lib { lib = self.lib; }; };
+}