diff --git a/config/hosts/beltane/nixos.nix b/config/hosts/beltane/nixos.nix
index 67862c15..d75ddd26 100644
--- a/config/hosts/beltane/nixos.nix
+++ b/config/hosts/beltane/nixos.nix
@@ -7,6 +7,7 @@ with lib;
 
   imports = with meta; [
     profiles.hardware.rm-310
+    profiles.network
     profiles.gui
     users.kat.guiFull
     services.fusionpbx
@@ -112,10 +113,6 @@ with lib;
         };
       };
     };
-    wireguard = {
-      enable = true;
-      tf.enable = true;
-    };
     yggdrasil = {
       enable = true;
       pubkey = "d3e488574367056d3ae809b678f799c29ebfd5c7151bb1f4051775b3953e5f52";
diff --git a/config/profiles/gui/nfs.nix b/config/profiles/gui/nfs.nix
index 7b529f43..19bbd55a 100644
--- a/config/profiles/gui/nfs.nix
+++ b/config/profiles/gui/nfs.nix
@@ -4,7 +4,7 @@
   boot.supportedFilesystems = [ "nfs" ];
 
   fileSystems."/mnt/kat-nas" = lib.mkIf (config.networking.hostName != "beltane") {
-    device = "${meta.network.nodes.beltane.network.addresses.private.domain}:/mnt/zraw/media";
+    device = "${meta.network.nodes.beltane.network.addresses.wireguard.domain}:/mnt/zraw/media";
     fsType = "nfs";
     options = [ "x-systemd.automount" "noauto" "nfsvers=4" "soft" "retrans=2" "timeo=60" ];
   };
diff --git a/config/services/nfs/default.nix b/config/services/nfs/default.nix
index 034efb5e..f2788a2b 100644
--- a/config/services/nfs/default.nix
+++ b/config/services/nfs/default.nix
@@ -9,7 +9,7 @@ with lib;
   };
 
   services.nfs.server.enable = true;
-  services.nfs.server.exports = "/mnt/zraw/media 192.168.1.0/24(rw) 200::/7(rw) 2a00:23c7:c597:7400::/56(rw)";
+  services.nfs.server.exports = "/mnt/zraw/media 192.168.1.0/24(rw) ${config.network.wireguard.prefixV4}.0/24(rw) fe80::/10(rw) 200::/7(rw) 2a00:23c7:c597:7400::/56(rw)";
 
   services.nginx.virtualHosts = kw.virtualHostGen {
     networkFilter = [ "private" "yggdrasil" ];