diff --git a/inventory/external.yml b/inventory/external.yml
new file mode 100644
index 0000000..a948098
--- /dev/null
+++ b/inventory/external.yml
@@ -0,0 +1,19 @@
+pearl:
+  hosts:
+    "157.90.125.225":
+      ansible_ssh_port: 2222
+      debian_version: "trixie"
+      btrfs_uuid: "e51a43f8-d131-4c64-8bce-a206e5621483"
+nas:
+  hosts:
+    "213.119.99.214":
+      ansible_ssh_port: 2223
+      static_ip: "192.168.0.3"
+boomhut:
+  hosts:
+    "51.254.128.104":
+      ansible_ssh_port: 2222
+emma:
+  hosts:
+    "78.22.233.14":
+      ansible_ssh_port: 2222
diff --git a/inventory/host_vars/157.90.125.225/vars.yml b/inventory/host_vars/157.90.125.225/vars.yml
new file mode 100644
index 0000000..4036890
--- /dev/null
+++ b/inventory/host_vars/157.90.125.225/vars.yml
@@ -0,0 +1,4 @@
+---
+wireguard_address: "10.0.0.2/24"
+wireguard_peers:
+  - "78.22.233.14"
diff --git a/inventory/host_vars/51.254.128.104/vars.yml b/inventory/host_vars/51.254.128.104/vars.yml
new file mode 100644
index 0000000..5479f9e
--- /dev/null
+++ b/inventory/host_vars/51.254.128.104/vars.yml
@@ -0,0 +1,4 @@
+---
+wireguard_address: "10.0.0.3/24"
+wireguard_peers:
+  - "78.22.233.14"
diff --git a/inventory/host_vars/78.22.233.14/vars.yml b/inventory/host_vars/78.22.233.14/vars.yml
new file mode 100644
index 0000000..b3ba1a9
--- /dev/null
+++ b/inventory/host_vars/78.22.233.14/vars.yml
@@ -0,0 +1,5 @@
+---
+wireguard_address: "10.0.0.1/24"
+wireguard_peers:
+  - "157.90.125.225"
+  - "51.254.128.104"
diff --git a/plays/wireguard.yml b/plays/wireguard.yml
new file mode 100644
index 0000000..ea07ba4
--- /dev/null
+++ b/plays/wireguard.yml
@@ -0,0 +1,6 @@
+---
+- name: Set up WireGuard connections
+  hosts: emma:pearl:boomhut
+  become: true
+  roles:
+    - any.tools.wireguard
diff --git a/roles/any.tools.wireguard/defaults/main.yml b/roles/any.tools.wireguard/defaults/main.yml
new file mode 100644
index 0000000..b04673a
--- /dev/null
+++ b/roles/any.tools.wireguard/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+wireguard_port: 51820
+wireguard_interface: wg0
+wireguard_keepalive: 25
+wireguard_peers: "{{ ansible_play_hosts }}"
diff --git a/roles/any.tools.wireguard/handlers/main.yml b/roles/any.tools.wireguard/handlers/main.yml
new file mode 100644
index 0000000..192b008
--- /dev/null
+++ b/roles/any.tools.wireguard/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart wg-quick
+  ansible.builtin.service:
+    name: "wg-quick@{{ wireguard_interface }}"
+    state: restarted
diff --git a/roles/any.tools.wireguard/tasks/main.yml b/roles/any.tools.wireguard/tasks/main.yml
new file mode 100644
index 0000000..2ad5aed
--- /dev/null
+++ b/roles/any.tools.wireguard/tasks/main.yml
@@ -0,0 +1,73 @@
+---
+- name: Ensure WireGuard is installed
+  ansible.builtin.apt:
+    name: wireguard
+    state: present
+
+- name: Ensure /etc/wireguard directory exists
+  ansible.builtin.file:
+    path: /etc/wireguard
+    state: directory
+    owner: root
+    group: root
+    mode: "700"
+
+- name: Check if private key already exists
+  ansible.builtin.stat:
+    path: /etc/wireguard/private_key
+  register: wireguard_private_key_file
+
+- name: Generate WireGuard private key
+  ansible.builtin.shell: wg genkey > /etc/wireguard/private_key
+  when: not wireguard_private_key_file.stat.exists
+
+- name: Set permissions on private key
+  ansible.builtin.file:
+    path: /etc/wireguard/private_key
+    owner: root
+    group: root
+    mode: "600"
+
+- name: Derive and write WireGuard public key from private key
+  ansible.builtin.shell: wg pubkey < /etc/wireguard/private_key > /etc/wireguard/public_key
+  changed_when: false
+
+- name: Set permissions on public key
+  ansible.builtin.file:
+    path: /etc/wireguard/public_key
+    owner: root
+    group: root
+    mode: "644"
+
+- name: Read WireGuard private key
+  ansible.builtin.slurp:
+    src: /etc/wireguard/private_key
+  register: wireguard_private_key_b64
+
+- name: Set WireGuard private key fact
+  ansible.builtin.set_fact:
+    wireguard_private_key: "{{ wireguard_private_key_b64.content | b64decode | trim }}"
+
+- name: Read WireGuard public key
+  ansible.builtin.slurp:
+    src: /etc/wireguard/public_key
+  register: wireguard_public_key_b64
+
+- name: Set WireGuard public key fact
+  ansible.builtin.set_fact:
+    wireguard_public_key: "{{ wireguard_public_key_b64.content | b64decode | trim }}"
+
+- name: Deploy WireGuard interface config
+  ansible.builtin.template:
+    src: wg0.conf.j2
+    dest: "/etc/wireguard/{{ wireguard_interface }}.conf"
+    owner: root
+    group: root
+    mode: "600"
+  notify: restart wg-quick
+
+- name: Enable and start wg-quick service
+  ansible.builtin.service:
+    name: "wg-quick@{{ wireguard_interface }}"
+    state: started
+    enabled: true
diff --git a/roles/any.tools.wireguard/templates/wg0.conf.j2 b/roles/any.tools.wireguard/templates/wg0.conf.j2
new file mode 100644
index 0000000..43aa04f
--- /dev/null
+++ b/roles/any.tools.wireguard/templates/wg0.conf.j2
@@ -0,0 +1,16 @@
+[Interface]
+Address = {{ wireguard_address }}
+PrivateKey = {{ wireguard_private_key }}
+ListenPort = {{ wireguard_port }}
+
+{% for host in wireguard_peers %}
+{% if host != inventory_hostname %}
+[Peer]
+# {{ host }}
+PublicKey = {{ hostvars[host]['wireguard_public_key'] }}
+AllowedIPs = {{ hostvars[host]['wireguard_address'].split('/')[0] }}/32
+Endpoint = {{ hostvars[host]['ansible_host'] | default(host) }}:{{ hostvars[host]['wireguard_port'] | default(wireguard_port) }}
+PersistentKeepalive = {{ wireguard_keepalive }}
+
+{% endif %}
+{% endfor %}