diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix
index f81b0a3..2f36e4b 100644
--- a/modules/wireguard/home.nix
+++ b/modules/wireguard/home.nix
@@ -5,33 +5,27 @@ let
     nunotaba = {
       address = "10.80.0.4";
       publicKey = "DvR8mUkll4uyYhNcX82caMkbcw0Lykg8zDzm/3PD5jw=";
-      public = false;
     };
     sayuri = {
       address = "10.80.0.5";
       publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
-      public = false;
     };
     vueko = {
       address = "10.80.0.6";
       publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
-      public = false;
     };
     fuuko = {
       address = "10.80.0.7";
       publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
-      public = true;
     };
     mayushii = {
       address = "10.80.0.9";
       publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg=";
-      public = false;
     };
   };
 
   cfg = config.sbruder.wireguard.home;
   enableServer = config.networking.hostName == serverHostName;
-  isPublic = peers.${config.networking.hostName}.public; # publicly reachable
 in
 {
   options = {
@@ -55,31 +49,35 @@ in
     networking.wireguard.interfaces.wg-home = {
       privateKeyFile = config.sops.secrets.wg-home-private-key.path;
       ips = [ "${cfg.address}/24" ];
-      listenPort = if enableServer || isPublic then 51820 else null;
+      listenPort = if enableServer then 51820 else null;
       peers =
-        # fallback/central server for clients that are not publicly reachable
-        lib.optional (!enableServer)
+        if enableServer
+        then
+          map
+            (peerConfig: with peerConfig; {
+              allowedIPs = [ "${address}/32" ];
+              inherit publicKey;
+            })
+            (lib.attrValues
+              (lib.filterAttrs
+                (n: v: n != config.networking.hostName)
+                peers))
+        else [
           {
             allowedIPs = [ "10.80.0.0/24" ];
             publicKey = peers."${serverHostName}".publicKey;
             endpoint = "${serverHostName}.sbruder.de:51820";
             persistentKeepalive = 25;
-          } ++ (lib.mapAttrsToList
-          (hostname: peerConfig: with peerConfig; {
-            allowedIPs = [ "${address}/32" ];
-            inherit publicKey;
-          } // (lib.optionalAttrs (public && !enableServer) {
-            endpoint = "${hostname}.sbruder.de:51820";
-          }))
-          (lib.filterAttrs
-            (n: v: n != config.networking.hostName && (enableServer || v.public))
-            peers));
+          }
+        ];
     };
 
     networking.firewall = {
       trustedInterfaces = [ "wg-home" ];
-      allowedUDPPorts = lib.optional (isPublic || enableServer) 51820
-        ++ lib.optional enableServer 53;
+      allowedUDPPorts = lib.optionals enableServer [
+        51820
+        53
+      ];
     };
 
     boot.kernel.sysctl = lib.optionalAttrs enableServer {