diff --git a/machines/shinobu/services/router/nft.nix b/machines/shinobu/services/router/nft.nix
index efe0e9a..103aba8 100644
--- a/machines/shinobu/services/router/nft.nix
+++ b/machines/shinobu/services/router/nft.nix
@@ -2,23 +2,24 @@
 let
   cfg = import ./common.nix;
 
-  flattenAttrValues = attrs: lib.flatten (map (v: if lib.isAttrs v then flattenAttrValues v else v) (lib.attrValues attrs));
-
   mkKeyValue = lib.generators.mkKeyValueDefault
     rec {
-      # specifies the generated string for a subset of nix values
       mkValueString = v:
         if lib.isString v then ''"${v}"''
         else if lib.isList v then ''{ ${lib.concatMapStringsSep ", " mkValueString v} }''
         else lib.generators.mkValueStringDefault { } v;
     } " = ";
 
+  passthru = {
+    WG_UPSTREAM_ENDPOINT = cfg.wg-upstream.endpoint.address;
+    VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
+  };
+
   defines = lib.concatStringsSep
     "\n"
-    (flattenAttrValues
-      (lib.mapAttrsRecursive
-        (path: value: "define " + (mkKeyValue ''CFG_${lib.concatStringsSep "_" path}'' value))
-        cfg));
+    (lib.mapAttrsToList
+      (key: value: "define " + (mkKeyValue key value))
+      passthru);
 in
 {
   networking.nftables = {
diff --git a/machines/shinobu/services/router/rules.nft b/machines/shinobu/services/router/rules.nft
index d518c28..0aaa42a 100644
--- a/machines/shinobu/services/router/rules.nft
+++ b/machines/shinobu/services/router/rules.nft
@@ -5,9 +5,7 @@ define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
 define VUEKO_V4 = 168.119.176.53
 define VUEKO_V6 = 2a01:4f8:c012:2f4::1
 define VUEKO_PORT = 51820
-define WG_UPSTREAM_ENDPOINT = $CFG_wg-upstream_endpoint_address
 define PLASTIC_ROUTER_V4 = 192.168.0.1
-define VPN_BYPASS_MARK = $CFG_vpnBypassFwMark
 
 table inet filter {
 	chain forward {