diff --git a/peering.nix b/peering.nix
index 170a986..8aceb62 100644
--- a/peering.nix
+++ b/peering.nix
@@ -20,7 +20,7 @@ in
       type = with types; nullOr str;
     };
     interface = mkOption {
-      default = "birdsong";
+      default = "wg-birdsong";
       example = "wg0";
       description = "The name of the network interface to use for WireGuard.";
       type = types.str;
@@ -66,31 +66,43 @@ in
       "net.ipv6.conf.${cfg.interface}.forwarding" = true;
     };
 
-    networking = {
-      firewall.allowedUDPPorts = mkIf cfg.openPorts [ host.port ];
+    networking.firewall.allowedUDPPorts = mkIf cfg.openPorts [ host.port ];
 
-      wireguard.interfaces.${cfg.interface} = {
-        ips = [ "${host.ipv4}/16" "${host.ipv6}/48" ]
-          ++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
-        privateKeyFile = cfg.privateKeyFile;
-        listenPort = host.port;
+    systemd.network = {
+      enable = true;
 
-        peers =
+      netdevs."30-birdsong" = {
+        netdevConfig = {
+          Name = cfg.interface;
+          Kind = "wireguard";
+          Description = "wireguard tunnel to the birdsong network";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = cfg.privateKeyFile;
+          ListenPort = host.port;
+        };
+        wireguardPeers =
           let
             canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet);
           in
           mapAttrsToList
             (name: peer: {
-              name = name;
-              publicKey = peer.wireguardKey;
-              allowedIPs = [ peer.ipv4 peer.ipv6 ]
-                ++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
-              endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}";
-              dynamicEndpointRefreshSeconds = mkIf (canDirectPeer host peer) 5;
-              persistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive;
+              wireguardPeerConfig = {
+                PublicKey = peer.wireguardKey;
+                AllowedIPs = [ peer.ipv4 peer.ipv6 ]
+                  ++ optionals peer.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
+                Endpoint = mkIf (canDirectPeer host peer) "${peer.endpoint}:${toString peer.port}";
+                PersistentKeepalive = mkIf (peer.subnet != host.subnet) cfg.persistentKeepalive;
+              };
             })
             (filterAttrs (name: peer: peer != host && (host.subnet == "internet" || canDirectPeer host peer)) hosts);
       };
+
+      networks."30-birdsong" = {
+        matchConfig.Name = cfg.interface;
+        networkConfig.Address = [ "${host.ipv4}/16" "${host.ipv6}/48" ]
+          ++ optionals host.isRouter [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ];
+      };
     };
   };
 }