diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix
index 9b1958d..ecc81a7 100644
--- a/systems/ceres/config/wireguard.nix
+++ b/systems/ceres/config/wireguard.nix
@@ -40,24 +40,27 @@ in
     };
   };
 
-  sops.secrets =
+  sops =
     let
       sopsPath = secret: {
-        path = "${service.sops.path0}/${service.name}-${secret}";
+        path = "${service.sops.path0}/${service.name}-${secret}-pass";
         owner = "root";
         mode = "600";
       };
     in
-    (map
-      (secret: {
-        name = "${service.name}-${secret}";
-        value = sopsPath secret;
-      })
-      [
-        "private"
-        "public"
-      ]
-    );
+    {
+      secrets = builtins.listToAttrs (
+        map
+          (secret: {
+            name = "${service.name}-${secret}";
+            value = sopsPath secret;
+          })
+          [
+            "private"
+            "public"
+          ]
+      );
+    };
 
   boot.kernel.sysctl = {
     "net.ipv4.ip_forward" = 1;