diff --git a/hosts/sobotka/default.nix b/hosts/sobotka/default.nix
index 2c663b7c..26710470 100644
--- a/hosts/sobotka/default.nix
+++ b/hosts/sobotka/default.nix
@@ -55,10 +55,10 @@ in {
               "192.168.88.13/24"
             ];
             # endpoint = "demo.wireguard.io:12913";
-            # publicKey = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=";
+            publicKey = "cUeRvwTwrL5GRc4dHjea89RJSa1kh4kIA/sHYzmscyQ=";
           }
         ];
-        # privateKey = "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=";
+        privateKeyFile = config.age.secrets.wgSobotkaPrivateKey.path;
       };
     };
   };
diff --git a/modules/nixos/services/agenix/default.nix b/modules/nixos/services/agenix/default.nix
index a6598565..e884efa5 100644
--- a/modules/nixos/services/agenix/default.nix
+++ b/modules/nixos/services/agenix/default.nix
@@ -61,6 +61,7 @@ in {
           cloudflareDnsApiToken.file = "${self}/secrets/cloudflareDnsApiToken.age";
           cloudflareDnsCredentials.file = "${self}/secrets/cloudflareDnsCredentials.age";
           wgCredentials.file = "${self}/secrets/wgCredentials.age";
+          wgSobotkaPrivateKey.file = "${self}/secrets/wgSobotkaPrivateKey.age";
           vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
           vaultwarden-env.file = "${self}/secrets/vaultwarden-env.age";
           homepage-env.file = "${self}/secrets/homepage-env.age";
diff --git a/modules/server/deluge/default.nix b/modules/server/deluge/default.nix
index 1a26999b..bcb16b1b 100644
--- a/modules/server/deluge/default.nix
+++ b/modules/server/deluge/default.nix
@@ -52,35 +52,35 @@ in {
     };
 
     systemd = lib.mkIf srv.wireguard-netns.enable {
-      services.deluged.serviceConfig.NetworkNamespacePath = "/var/run/netns/${ns}";
-
-      services.deluged.requires = [
-        "netns@${ns}.service"
-        "network-online.target"
-      ];
+      services.deluged = {
+        bindsTo = ["netns@${ns}.service"];
+        requires = ["network-online.target"];
+        serviceConfig.NetworkNamespacePath = "/var/run/netns/${ns}";
+      };
 
       sockets."delugedproxy" = {
         enable = true;
-        description = "Socket Proxy for Deluge WebUI";
-        listenStreams = [
-          "127.0.0.1:8112"
-        ];
+        description = "Socket for Proxy to Deluge WebUI";
+        listenStreams = ["58846"];
         wantedBy = ["sockets.target"];
       };
 
       services."delugedproxy" = {
         description = "Proxy to Deluge in Network Namespace";
-        requires = ["deluged.service"];
-        after = ["delugedproxy.socket"];
+        requires = [
+          "deluged.service"
+          "delugedproxy.socket"
+        ];
+        after = [
+          "deluged.service"
+          "delugedproxy.socket"
+        ];
         unitConfig = {
           JoinsNamespaceOf = "deluged.service";
         };
-
         serviceConfig = {
           Type = "simple";
-          ExecStart = ''
-            ${pkgs.socat}/bin/socat - TCP4:127.0.0.1:8112
-          '';
+          ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd --exit-idle-time=5min 127.0.0.1:58846";
           PrivateNetwork = true;
           NetworkNamespacePath = "/var/run/netns/${ns}";
         };
diff --git a/modules/server/wireguard-netns/default.nix b/modules/server/wireguard-netns/default.nix
index bbe6242a..dbe47417 100644
--- a/modules/server/wireguard-netns/default.nix
+++ b/modules/server/wireguard-netns/default.nix
@@ -58,9 +58,7 @@ in {
     in {
       systemd.services."netns@${cfg.namespace}" = {
         description = "WireGuard VPN netns (${cfg.namespace})";
-        bindsTo = ["netns@${cfg.namespace}.service"];
         requires = ["network-online.target"];
-        after = ["netns@${cfg.namespace}.service"];
         wantedBy = ["multi-user.target"];
 
         serviceConfig = {
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b555e05c..5583708f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -18,4 +18,5 @@ in {
   "cloudflareDnsApiToken.age".publicKeys = [cnst kima usobotka rsobotka];
   "cloudflareDnsCredentials.age".publicKeys = [cnst kima usobotka rsobotka];
   "wgCredentials.age".publicKeys = [cnst kima usobotka rsobotka];
+  "wgSobotkaPrivateKey.age".publicKeys = [cnst kima usobotka rsobotka];
 }
diff --git a/secrets/wgSobotkaPrivateKey.age b/secrets/wgSobotkaPrivateKey.age
new file mode 100644
index 00000000..cd3c5841
--- /dev/null
+++ b/secrets/wgSobotkaPrivateKey.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 t9iOEg 57VYpYAfj/F+vcJk9dykVN/YKpfT/QR5Q/a/ZvURl2Y
+NMZ3P7oehNlukQhY0ClwcbX5pSKU6SWHRksJDmaxPQ4
+-> ssh-ed25519 KUYMFA SEvNsGGlKHSw+cMp74nkBgoA9FicK5slrEyWaIQE0wE
+tZ/gJnWqwtSck41BrJB2Wf++UcCXfxh4eES5rBjLfyE
+-> ssh-ed25519 76RhUQ E65fkanGSeEwMTYDW97Aub33BGjqf5w1mqzcjq5svys
+EFM45HRydOio3KTKtE8HUNWmQ3PfnbkFj82Hl+A0Zso
+-> ssh-ed25519 Jf8sqw rTcmk9sCMsdRMd39dQprmOVU4mv7Ll18FvmuKri451Y
+fPOCpQIfsF/0VjtzXHBkU0NS+jslAokv/pUtIx/JZsk
+--- 1EBJeEwLcWYrIKUx9zrcCjkrsJmeAVhVdSmLc+dcf0w
+oGMKzŽ"°{¬&„Â¨’Ëï>a€w[ã÷ú-	®‡n""6¹em+ÕÓ”ƒjª±Å•æ»ÂOÌ³KŸ¿‹qÃ#Îa
\ No newline at end of file