diff --git a/wg.mk b/wg.mk
index 99a39b8..b2f1480 100644
--- a/wg.mk
+++ b/wg.mk
@@ -20,8 +20,11 @@ wgkeys.rec: wireguard/dmz_public_key
 	git commit -m"add wireguard key for $(name)"
 	$(info Remember to git push)
 
-wireguard/dmz.conf: xecut/nimbus/dmz.conf | wireguard/dmz_private_key
-	sed 's/PRIVATE_KEY/$(shell cat $|)/' $< > $@
+wireguard/dmz.conf: wireguard/dmz_bare.conf | wireguard/dmz_private_key
+	sed 's#PRIVATE_KEY#$(shell cat $|)#' $< > $@
+
+wireguard/dmz_bare.conf: wgkeys.rec | xecut/nimbus/dmz.conf
+	recsel $< -t $(basename $<) -e 'name = "$(name)"' | recfmt -f $| > $@
 
 ###### Wireguard configuration #####
 
diff --git a/wgkeys.rec b/wgkeys.rec
index 6ec1329..920f60f 100644
--- a/wgkeys.rec
+++ b/wgkeys.rec
@@ -1,8 +1,12 @@
 %rec: wgkeys
+%key: id
 %type: name,pubkey line
+%type: id int
+%auto: id
 %mandatory: name
 + pubkey
 
+id: 2
 name: Malin Freeborn
 pubkey: loNnXRalD0ZyOLadSWm31rqOuRfEbgtX9O4/z7eSIho=
 
diff --git a/xecut/nimbus/dmz.conf b/xecut/nimbus/dmz.conf
index 5b05721..6f91a8e 100644
--- a/xecut/nimbus/dmz.conf
+++ b/xecut/nimbus/dmz.conf
@@ -8,5 +8,5 @@ DNS = 9.9.9.9
 [Peer]
 PublicKey = GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
 Endpoint = space.xecut.me:51900
-AllowedIPs = 10.0.0.1/24
+AllowedIPs = 10.0.0.{{id}}/24
 
diff --git a/xecut/nimbus/wg_peer.fmt b/xecut/nimbus/wg_peer.fmt
index 364ade3..2a58473 100644
--- a/xecut/nimbus/wg_peer.fmt
+++ b/xecut/nimbus/wg_peer.fmt
@@ -1,4 +1,4 @@
 [Peer]
 PublicKey = {{pubkey}}
-AllowedIPs = 10.0.0.2/32
+AllowedIPs = 10.0.0.{{id}}/32