diff --git a/Makefile b/Makefile
index b4f9c0a..92bb2db 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,8 @@ MACHINES := \
 	asus-gl553vd
 
 VPS := \
-	magenta
+	magenta \
+	canigou
 
 help:
 	cat Makefile
diff --git a/flake.nix b/flake.nix
index 3944923..d79c119 100644
--- a/flake.nix
+++ b/flake.nix
@@ -114,7 +114,10 @@
               RULES = "./.agenix_config.nix";
             };
             tools = pkgs.mkShell {
-              packages = [ pkgs.gucharmap ];
+              packages = with pkgs; [
+                gucharmap
+                wireguard-tools
+              ];
             };
           };
         })
diff --git a/machines/canigou/default.nix b/machines/canigou/default.nix
new file mode 100644
index 0000000..24ee8dc
--- /dev/null
+++ b/machines/canigou/default.nix
@@ -0,0 +1,22 @@
+{ ... }:
+
+let
+  data = import ../../data.nix;
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.secret.nix # generated at runtime by nixos-infect
+
+    ../modules/common.nix
+    ../modules/fail2ban.nix
+  ];
+
+  boot.cleanTmpDir = true;
+  zramSwap.enable = true;
+
+  networking.hostName = "canigou";
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = data.publicKeys.users.jan;
+}
diff --git a/machines/canigou/hardware-configuration.nix b/machines/canigou/hardware-configuration.nix
new file mode 100644
index 0000000..e54b5c4
--- /dev/null
+++ b/machines/canigou/hardware-configuration.nix
@@ -0,0 +1,9 @@
+{ modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+}
diff --git a/machines/canigou/networking.secret.nix b/machines/canigou/networking.secret.nix
new file mode 100644
index 0000000..44d2df4
Binary files /dev/null and b/machines/canigou/networking.secret.nix differ
diff --git a/machines/default.nix b/machines/default.nix
index d119298..768fbc4 100644
--- a/machines/default.nix
+++ b/machines/default.nix
@@ -2,6 +2,15 @@
 
 let
   hardware = inputs.hardware.nixosModules;
+
+  inherit (inputs.nixpkgs) lib;
+  inherit (builtins) head;
+  getTargetHost = file:
+    let
+      net = import file { inherit lib; };
+      ipv4addrs = net.networking.interfaces.eth0.ipv4.addresses;
+    in
+    (head ipv4addrs).address;
 in
 {
   home = {
@@ -37,10 +46,18 @@ in
   magenta = {
     system = "x86_64-linux";
 
-    targetHost = "45.131.41.215";
+    targetHost =
+      getTargetHost ./magenta/networking.secret.nix;
 
     extraModules = [
       inputs.mailserver.nixosModule
     ];
   };
+
+  canigou = {
+    system = "x86_64-linux";
+
+    targetHost =
+      getTargetHost ./canigou/networking.secret.nix;
+  };
 }
diff --git a/machines/magenta/default.nix b/machines/magenta/default.nix
index a6a2f3b..c58c936 100644
--- a/machines/magenta/default.nix
+++ b/machines/magenta/default.nix
@@ -6,11 +6,12 @@ in
 {
   imports = [
     ./hardware-configuration.nix
-    ./networking.nix # generated at runtime by nixos-infect
+    ./networking.secret.nix # generated at runtime by nixos-infect
 
     ../modules/common.nix
     ../modules/nix.nix
     ../modules/nginx.nix
+    ../modules/fail2ban.nix
 
     ./services/mailserver.nix
     ./services/gitea.nix
@@ -18,6 +19,7 @@ in
 
   boot.cleanTmpDir = true;
   zramSwap.enable = true;
+
   networking.hostName = "magenta";
 
   services.openssh.enable = true;
@@ -27,13 +29,4 @@ in
     acceptTerms = true;
     defaults.email = "dmitriy@pleshevski.ru";
   };
-
-  services.fail2ban = {
-    enable = true;
-    bantime-increment = {
-      enable = true;
-      factor = "4";
-      maxtime = "48h";
-    };
-  };
 }
diff --git a/machines/magenta/networking.nix b/machines/magenta/networking.nix
deleted file mode 100644
index 059fbef..0000000
--- a/machines/magenta/networking.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ lib, ... }:
-
-{
-  # This file was populated at runtime with the networking
-  # details gathered from the active system.
-  networking = {
-    nameservers = [
-      "188.93.16.19"
-      "188.93.17.19"
-      "8.8.8.8"
-    ];
-    defaultGateway = "45.131.41.1";
-    defaultGateway6 = "";
-    dhcpcd.enable = false;
-    usePredictableInterfaceNames = lib.mkForce false;
-    interfaces = {
-      eth0 = {
-        ipv4.addresses = [
-          { address = "45.131.41.215"; prefixLength = 24; }
-        ];
-        ipv6.addresses = [
-          { address = "fe80::f816:3eff:fe58:d30a"; prefixLength = 64; }
-        ];
-        ipv4.routes = [{ address = "45.131.41.1"; prefixLength = 32; }];
-        # ipv6.routes = [{ address = ""; prefixLength = 128; }];
-      };
-
-    };
-  };
-  services.udev.extraRules = ''
-    ATTR{address}=="fa:16:3e:58:d3:0a", NAME="eth0"
-  '';
-}
diff --git a/machines/magenta/networking.secret.nix b/machines/magenta/networking.secret.nix
new file mode 100644
index 0000000..39074ef
Binary files /dev/null and b/machines/magenta/networking.secret.nix differ
diff --git a/machines/modules/fail2ban.nix b/machines/modules/fail2ban.nix
new file mode 100644
index 0000000..cf36818
--- /dev/null
+++ b/machines/modules/fail2ban.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+    bantime-increment = {
+      enable = true;
+      factor = "4";
+      maxtime = "48h";
+    };
+  };
+}
diff --git a/machines/modules/networking.secret.nix b/machines/modules/networking.secret.nix
index 00bbe78..b5182eb 100644
Binary files a/machines/modules/networking.secret.nix and b/machines/modules/networking.secret.nix differ