diff --git a/.sops.yaml b/.sops.yaml
index 40ae249..b6329d4 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -29,7 +29,7 @@ creation_rules:
     key_groups:
       - age:
         - *primary
-  - path_regex: secrets/aquarius-wg.yaml
+  - path_regex: secrets/aquarius-newt.env
     key_groups:
       - age:
         - *primary
diff --git a/modules/nixos/services/newt/default.nix b/modules/nixos/services/newt/default.nix
new file mode 100644
index 0000000..d761793
--- /dev/null
+++ b/modules/nixos/services/newt/default.nix
@@ -0,0 +1,30 @@
+{
+  lib,
+  pkgs,
+  config,
+  namespace,
+  ...
+}:
+with lib;
+with lib.${namespace};
+let
+  cfg = config.${namespace}.services.newt;
+in
+{
+  options.${namespace}.services.newt = {
+    enable = mkEnableOption "Newt";
+  };
+
+  config = mkIf cfg.enable {
+    services.newt = {
+      enable = true;
+      environmentFile = "/run/secrets/aquarius-newt.env";
+    };
+
+    sops.secrets."aquarius-newt.env" = {
+      format = "dotenv";
+      sopsFile = ../../../../secrets/aquarius-newt.env;
+    };
+
+  };
+}
diff --git a/secrets/aquarius-newt.env b/secrets/aquarius-newt.env
new file mode 100644
index 0000000..dcb2bbc
--- /dev/null
+++ b/secrets/aquarius-newt.env
@@ -0,0 +1,9 @@
+NEWT_ID=ENC[AES256_GCM,data:wLn8WaasJl+ybcxK0Zvi,iv:UMUjGIS/L0euTjq5leFJWhtFjXpw6b+nibP0+kB/nSc=,tag:ObgBQYHpqYXIpOpU7pdrVg==,type:str]
+NEWT_SECRET=ENC[AES256_GCM,data:idg8gcFzBX3vxQJqOlDfpeuEPhJId3tA+d6baCvdhwReGadPMnrNJPLK/OAZx15t,iv:WPwPBDLj67d7OFJ3XWdR3yv6ZkizBGzVm0jjTjWcUXw=,tag:CoE8lLMKvNxNhm1v3UHPQw==,type:str]
+PANGOLIN_ENDPOINT=ENC[AES256_GCM,data:N3SeIG9IEAkb9XGhIb+DrwyPEGS///Pjgh6pZw==,iv:rZWw+R9MtREx9ZgNwniUkjZ1EK/qzNtvnotJDSsZpWg=,tag:3d7a/+0hPTOHjBUV9toOpA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUFVXT2tvTU5mZDJ1SHlS\nN1o4OVBxZXZ0N2pONDFvUUxOMS83MzI4VXowCmlHQUZvRms4LzFwYzBYdWJsUHR6\nWnBlUDdDcEN5S09DSkJ6QVpyOTMrOGMKLS0tIGF3aVVNVVYvRERvQkY3UUVnd2tj\nME1yYjU1elRZTzFZYklJbkRNR2psczAKhpFPCJxz5bwLqGx82jAkzYa+7xUqwzuv\nbZluxUfSbZFUDn5rZNJMNZW4xAQ6+8OXaSRcs3mqucuXNIkJnzh3WQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl
+sops_lastmodified=2025-12-26T19:37:13Z
+sops_mac=ENC[AES256_GCM,data:rD5AmdlYw/Mauk26cokq2xwUv3i3ZbNEjeCBazkWUGmhWx4YFliDzWFnlwLoj5l96SIzReXx866KFAXaIMczU6VXJXomP/NIe6Ed4bTvkVlnJoXtI01ltmpPlUiPIDH5xCRK3UGQcYYuQbhPdnJtz8N41xegZ/U15BH66GHG7J8=,iv:cN5xXvfajCZpKyPUWGTrzZDzYtpsvLM/gxdOHv7U0Xg=,tag:vhaxlm7fsvOyhK35ihcWXw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0
diff --git a/secrets/aquarius-wg.yaml b/secrets/aquarius-wg.yaml
index 634b0aa..cb27c39 100644
--- a/secrets/aquarius-wg.yaml
+++ b/secrets/aquarius-wg.yaml
@@ -1,6 +1,5 @@
-privateKey: ENC[AES256_GCM,data:WtmzHDKRbqbJJ3VXKqqKnqKTcvVDV+yFgFfeKxLv+UErOiEBgqtDhKEs0Io=,iv:admaUfhhKLlu58wKpRvgyGSqOsiY82ix2xJgT0GL8Xs=,tag:eP9Ka0jo2BYxZX0w7eKGqA==,type:str]
-publicKey: ENC[AES256_GCM,data://Kq875vV3gpE3tbMRVt/q7m5LqPRXOka8fzoA2oZzglfE1xtS/kAMPMR44=,iv:5fLk4lBTHwIcGiAM325ykceViCBwRHFLnxZkcqm3Ao4=,tag:g6R0ZSRa2m9JNB2UH3JIJg==,type:str]
-presharedKey: ENC[AES256_GCM,data:EpOJCMzi1XHDbbqdEB+SoC/6LxkHwxZ2DxQINBnGhjXl6JhNYswqTWQuFVU=,iv:GFcxLghV+SQMaJ5J4bQOBPGDQatkSwPLtx57wlWaB+8=,tag:2ofR6eSplwLwe/vYyGyrLg==,type:str]
+privateKey: ENC[AES256_GCM,data:9fcuUdAOxNNqXZbhhMve0lA53aeDUfeV39AkqN0v3EpuONRpyekoTFf3W04=,iv:QPUE6/YyHwHmdYdOZyWnXdibQBaukDu/fMlrah76Yok=,tag:0iItXvMxqB0j24ksY4GrJA==,type:str]
+publicKey: ENC[AES256_GCM,data:WGsDyRPEyN555s0VlNw5++zOMgpBV+jCtsbQ+0npwDcWdsTueW7OMQMLEtA=,iv:B1Suqh6u1MutuQbYgimFBxlI7j7qkimGRGklx6KsbnU=,tag:2TYj44b2qqQjMJAIELZIKg==,type:str]
 sops:
     age:
         - recipient: age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl
@@ -12,7 +11,7 @@ sops:
             ekZnYTVDS1habTBpSUtOaURWTFBxRU0KblHpvcdwLANZdxUmT4hDQqooPXDiRvH1
             f8qVPOVveoOBzmoN9HN08TFbQcwZ6YM0IQggxdtMyhZk/qyhy+CqNw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-02T12:06:55Z"
-    mac: ENC[AES256_GCM,data:T9trFCzxJm3eINbuJIDN04feEHViZz6yiaA59yf9+WyJrLB467DagDc4Qv90vdRJXzakwZSYvprDtglrVReT+Wg2GLdVtNIZmPEaLrfpfBgVaBCEZch48dOh+Ytgc09f95ecyXJV/2xNLBtW8YUs3JZsIAcJQTOOrLLhhPjj96A=,iv:wrwIeLhEsN6LFpO/6RF+DE343xdFhshd4TSeF+le+m8=,tag:rNXmYSJsStd5HeDCgtKSRQ==,type:str]
+    lastmodified: "2025-12-16T15:06:00Z"
+    mac: ENC[AES256_GCM,data:2kmKA3KlJ35uUSwgehX7TmsAZPo9ylKKFMJdh3+VUPt376wSWvXtBh8kys3tjcN3Q9Uh+S/wik/p0hDYLx8W0pIMIJKEkejzdJsivo4eDr72cZG4nfSwEq2q5dkEs6sPNItHbot3Jf5JhxSBpSRkUa0/4ttA2Vcs1S+13YWONQ0=,iv:xLJOf0VRjddN+aQu44nfoIe3VphCZwPKTwE4VFH0ZzY=,tag:q4fcu428QAWuzg56akoU3Q==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0
diff --git a/systems/aarch64-linux/aquarius/default.nix b/systems/aarch64-linux/aquarius/default.nix
index 3262919..cb6de36 100644
--- a/systems/aarch64-linux/aquarius/default.nix
+++ b/systems/aarch64-linux/aquarius/default.nix
@@ -62,6 +62,7 @@ with lib.${namespace};
     services = {
       ssh = enabled;
       technitium-dns-server = enabled;
+      newt = enabled;
     };
 
     system.sops = enabled;
diff --git a/systems/aarch64-linux/aquarius/networking.nix b/systems/aarch64-linux/aquarius/networking.nix
index fd1efbe..8935c53 100644
--- a/systems/aarch64-linux/aquarius/networking.nix
+++ b/systems/aarch64-linux/aquarius/networking.nix
@@ -1,51 +1,37 @@
 {
   networking = {
     hostName = "aquarius";
+
     networkmanager.enable = false;
-    dhcpcd.enable = true;
+    dhcpcd.enable = false;
 
-    interfaces.end0.useDHCP = true;
+    firewall.enable = true;
+  };
 
-    firewall = {
-      enable = true;
-      allowedUDPPorts = [ 51820 ];
+  systemd.network.enable = true;
+  services.resolved.enable = true;
+
+  systemd.network.networks."99-ignore-wg" = {
+    matchConfig.Name = "wg*";
+    networkConfig = {
+      ConfigureWithoutCarrier = true;
     };
-
-    wireguard = {
-      enable = true;
-      interfaces."wg0" = {
-        ips = [
-          "192.168.100.10/24"
-          "fd00:100::10/64"
-        ];
-        listenPort = 51820;
-        mtu = 1400;
-        privateKeyFile = "/run/secrets/privateKey";
-        peers = [
-          {
-            publicKey = "ylsjhpKiq3B6Kv4q2uiHXUJpyxY2b1DOAlGc/FWdflQ=";
-            presharedKeyFile = "/run/secrets/presharedKey";
-            allowedIPs = [
-              "192.168.100.1/32"
-              "fd00:100::1/128"
-            ];
-            endpoint = "neuruppin.boehm.sh:51820";
-            persistentKeepalive = 25;
-          }
-        ];
-      };
+    linkConfig = {
+      Unmanaged = "yes";
     };
   };
 
-  sops.secrets = {
-    privateKey = {
-      sopsFile = ../../../secrets/aquarius-wg.yaml;
-      key = "privateKey";
+  systemd.network.networks."10-end0" = {
+    matchConfig.Name = "end0";
+    networkConfig.DHCP = "yes";
+
+    dhcpV4Config = {
+      UseDNS = true;
+      UseRoutes = true;
     };
 
-    presharedKey = {
-      sopsFile = ../../../secrets/aquarius-wg.yaml;
-      key = "presharedKey";
+    dhcpV6Config = {
+      UseDNS = true;
     };
   };