diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
new file mode 100644
index 0000000000000000000000000000000000000000..24c8a0ec9f2bbc0be19783098c44b68cbb1a3df5
--- /dev/null
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -0,0 +1,65 @@
+# Client section of our Monitoring VPN config
+
+{ lib, config, ... }: let
+  cfg = config.services.monitoring.vpn;
+  # cfg.server = "loki";
+  # cfg.port = 54321;
+  #ip = "192.168.42.11";
+
+in {
+
+  options = {
+    services.monitoring.vpn.client.enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
+    services.monitoring.vpn.client.privateKeyFile = lib.mkOption {
+      type = lib.types.str;
+      example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
+      description = ''
+        Base64 private key generated by <command>wg genkey</command>.
+      '';
+    };
+    services.monitoring.vpn.client.publicKeyFile = lib.mkOption {
+      type = lib.types.str;
+      example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
+      description = ''
+        Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
+      '';
+    };
+    services.monitoring.vpn.client.allowedIPs = {
+      type = lib.types.listOf lib.types.str;
+      example = lib.literalExample [ "172.23.23.1/32" ];
+      description = ''
+        Limits which IPs this client receives data from.
+      '';
+    };
+    services.monitoring.vpn.client.ips = {
+      type = lib.types.listOf lib.types.str;
+      example = lib.literalExample [ "172.23.23.1/24" ];
+      default = [ "172.23.23.1/24" ];
+      description = ''
+        The IP addresses of the interface.
+        See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.client.enable {
+    networking.wireguard.interfaces.monitoringvpn = {
+      ips = cfg.client.ips;
+      privateKeyFile = cfg.client.privateKeyFile;
+      peers = [
+        {
+          allowedIPs = cfg.client.allowedIPs;
+          endpoint = "loki:54321"; # cfg.server + ":" + toString cfg.port;
+          publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
+        }
+      ];
+    };
+  };
+}
+
+
+# just have all config static (no file systems etc)
+# move cfg into global config (like config.privatestorage.monitoring.*)
+# parametrize keys
+#   - (https://wiki.archlinux.org/index.php/WireGuard
+#   -  (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub)