diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index a5881c4..475d943 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -73,9 +73,14 @@ in {
   };
 
   config = {
-    sops.secrets = lib.mkMerge (map (cfg: {
-      "${cfg.serverPrivateKeyFile}" = { };
-      "${cfg.clientPublicKeyFile}" = { };
+    sops.secrets = let
+      def = {
+        owner = "systemd-network";
+        group = "systemd-network";
+      };
+    in lib.mkMerge (map (cfg: {
+      "${cfg.serverPrivateKeyFile}" = def;
+      "${cfg.clientPublicKeyFile}" = def;
     }) interfaces);
 
     assertions = lib.mkAfter (secretAssertions ++ uniquenessAssertions);