diff --git a/hosts/linode/toggles.nix b/hosts/linode/toggles.nix
index 4d68238..a6fe5bb 100644
--- a/hosts/linode/toggles.nix
+++ b/hosts/linode/toggles.nix
@@ -3,7 +3,7 @@ _: {
   locale = "en_US.UTF-8";
   wireguard.enable = true;
   network.enable = true;
-  secureHost = true;
+  secureHost = false;
   ips = {
     vps = "51.222.141.104";
     wg-vps = "10.77.0.1";
diff --git a/hosts/linode/wireguard-linode.nix b/hosts/linode/wireguard-linode.nix
index cf22e11..3236a93 100644
--- a/hosts/linode/wireguard-linode.nix
+++ b/hosts/linode/wireguard-linode.nix
@@ -6,7 +6,7 @@
 }:
 {
   config = lib.mkIf config.my.services.wireguard.enable {
-    sops.secrets."wireguard/linode/private" = {
+    sops.secrets."wireguard/linode/private" = lib.mkIf config.my.secureHost {
       sopsFile = ../../secrets/wireguard.yaml;
     };
     networking = {
@@ -44,7 +44,11 @@
           "${config.my.ips.wg-friends}/24"
         ];
         listenPort = 51820;
-        privateKeyFile = config.sops.secrets."wireguard/linode/private".path;
+        privateKeyFile =
+          if config.my.secureHost then
+            config.sops.secrets."wireguard/linode/private".path
+          else
+            "/var/lib/wireguard/private.key";
         postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
           config.my.interfaces.${config.networking.hostName}
         } -j MASQUERADE";