diff --git a/modules/config/devices/config/ceres.nix b/modules/config/devices/config/ceres.nix
index 899efc2..723cca4 100755
--- a/modules/config/devices/config/ceres.nix
+++ b/modules/config/devices/config/ceres.nix
@@ -28,7 +28,7 @@ in
     options = ownerExclusiveReadWriteMask;
   };
   wireguard = {
-    ip0 = "10.100.0.2";
+    ip0 = "10.100.0.1";
   };
   storage0 = {
     mount = "/mnt/media/${ceresStorageDriveName}";
diff --git a/modules/nixos/services/searx/default.nix b/modules/nixos/services/searx/default.nix
index ce7637b..5e7cb54 100755
--- a/modules/nixos/services/searx/default.nix
+++ b/modules/nixos/services/searx/default.nix
@@ -46,6 +46,11 @@ in
             virtualHosts = {
               "${configHelpers.host}" = {
                 extraConfig = ''
+                  @blocked {
+                      not remote_ip 10.100.0.0/24
+                    }
+                    respond @blocked 403 "Access allowed only via WireGuard"
+
                   redir /.well-known/carddav /remote.php/dav/ 301
                   redir /.well-known/caldav /remote.php/dav/ 301
 
@@ -87,7 +92,7 @@ in
 
   networking = {
     firewall = {
-      allowedTCPPorts = [
+      interfaces.wg0.allowedTCPPorts = [
         configHelpers.service.ports.port0
       ];
     };
diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix
index ecc81a7..8547055 100644
--- a/systems/ceres/config/wireguard.nix
+++ b/systems/ceres/config/wireguard.nix
@@ -1,7 +1,7 @@
 { config, flake, ... }:
 let
   inherit (flake.config.services.instances) wireGuard web;
-  inherit (flake.config.machines.devices) mars;
+  inherit (flake.config.machines.devices) mars ceres;
   service = wireGuard;
 in
 {
@@ -27,7 +27,7 @@ in
 
     wireguard.interfaces = {
       wg0 = {
-        ips = [ "${web.wireguard.interface0}/24" ];
+        ips = [ "${ceres.wireguard.ip0}/24" ];
         listenPort = service.ports.port0;
         privateKeyFile = config.sops.secrets."${service.name}-private".path;
         peers = [