diff --git a/docs/playbooks/add-wireguard-peer.md b/docs/playbooks/add-wireguard-peer.md
new file mode 100644
index 0000000..43644a0
--- /dev/null
+++ b/docs/playbooks/add-wireguard-peer.md
@@ -0,0 +1,25 @@
+# Playbook: Add WireGuard Peer (Friend or Guest)
+
+## When to use
+- Adding a new WireGuard peer in the friends (10.8.0.0/24) or guests (10.9.0.0/24) subnet.
+- Updating firewall rules to allow access to specific ports for that peer.
+
+## Inputs
+- Peer name (e.g., `friend5`, `guest2`)
+- Peer public key (WireGuard)
+- Peer IP address (e.g., `10.8.0.6` or `10.9.0.3`)
+- Access scope (ports/services the peer should reach)
+
+## Steps
+1. Add the peer IP to `my.ips` in `modules/modules.nix`.
+2. Add the peer to the VPS WireGuard peers list in `modules/services/wireguard.nix`.
+3. If the peer is a guest/friend, ensure `allowedIPs` includes the relevant subnets in `hosts/server/configuration.nix`.
+4. Add or adjust VPS firewall rules in `hosts/vps/configuration.nix` (`networking.firewall.extraForwardRules`) to allow the requested ports.
+5. Rebuild both hosts:
+   - `nixos-rebuild switch --flake .#vps`
+   - `nixos-rebuild switch --flake .#server`
+
+## Verification
+- On VPS: `sudo wg show`
+- On VPS: `sudo nft list ruleset | rg -n "<peer ip>|<port>"`
+- From peer: confirm access to allowed endpoints (HTTP/TCP/ICMP as defined).