diff --git a/data/internalCAIntermediate.crt b/data/internalCAIntermediate.crt
new file mode 100644
index 0000000..e69de29
diff --git a/home/dev/all/extra.nix b/home/dev/all/extra.nix
index 9a51122..601ec28 100644
--- a/home/dev/all/extra.nix
+++ b/home/dev/all/extra.nix
@@ -9,8 +9,8 @@
     file
     python3
     binutils # for strings
+    qrencode
 
-    # (pkgs.busybox.override {enableAppletSymlinks = false;})
     # This saves a rebuild of already cached busybox
     (pkgs.runCommand "busybox-no-applets" {} ''
       mkdir -p $out/bin
diff --git a/lib/internalWireGuardLib.nix b/lib/internalWireGuardLib.nix
index 1d80ea8..326d558 100644
--- a/lib/internalWireGuardLib.nix
+++ b/lib/internalWireGuardLib.nix
@@ -5,7 +5,7 @@
 }: let
   inherit (pkgs) writeShellScriptBin;
   inherit (lib.lists) forEach;
-  inherit (lib.strings) concatStringsSep;
+  inherit (lib.strings) concatStringsSep optionalString;
   inherit (builtins) attrNames;
 
   wireguardData = import ../data/wireguard/chaosInternalWireGuard.nix;
@@ -63,4 +63,37 @@ in rec {
 
     ${jq} ".\"${systemHostName}\" = \"$PUBLIC\"" "$PUBKEYS_FILE" | ${sponge} "$PUBKEYS_FILE"
   ''));
+
+  genConfScript = systemHostName: (writeShellScriptBin "wg-gen-conf-${systemHostName}" (let
+    vault = "${pkgs.vault-bin}/bin/vault";
+    jq = "${pkgs.jq}/bin/jq";
+
+    currentHostConfig = wireguardHosts.${systemHostName};
+  in ''
+    set -euo pipefail
+    getPrivateKey() {
+      ${vault} kv get -format=json "/private-public-keys/wireguard/chaos-internal/$1" | ${jq} -r ".data.data.private" | tr -d '\n'
+    }
+
+    cat << EOF
+    [interface]
+    Address = ${currentHostConfig.ip}/24
+    ${optionalString (currentHostConfig ? "listenAddress") "ListenAddress = ${toString currentHostConfig.listenAddress}"}
+    PrivateKey = $(getPrivateKey ${systemHostName})
+
+
+    ${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: (let
+      hostConfig = wireguardHosts.${hostName};
+    in ''
+      [Peer]
+      PublicKey = ${hostConfig.public}
+      ${optionalString (hostConfig ? "endpoint") "Endpoint = ${hostConfig.endpoint}"}
+      AllowedIPs = ${
+        if hostConfig ? "allowedIPs"
+        then concatStringsSep "," hostConfig.allowedIPs
+        else "${hostConfig.ip}/32"
+      }
+    '')))}
+    EOF
+  ''));
 }
diff --git a/outputs.nix b/outputs.nix
index 1093eec..af8c089 100644
--- a/outputs.nix
+++ b/outputs.nix
@@ -85,6 +85,7 @@ in
             (mergeAttrsList (
               forEach hostsWithWireGuard (hostName: {
                 "wg-keys-init-${hostName}" = internalWireGuardLib.genInitScript hostName;
+                "wg-gen-conf-${hostName}" = internalWireGuardLib.genConfScript hostName;
               })
             ))
             {