diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 7ff4c41..71469e1 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -213,15 +213,11 @@
           ++ map (clientNode: let
             clientCfg = wgCfgOf clientNode;
           in {
-            wireguardPeerConfig =
-              {
-                PublicKey = builtins.readFile (peerPublicKeyPath clientNode);
-                PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
-                AllowedIPs = map (net.cidr.make 128) clientCfg.addresses;
-              }
-              // optionalAttrs clientCfg.client.keepalive {
-                PersistentKeepalive = 25;
-              };
+            wireguardPeerConfig = {
+              PublicKey = builtins.readFile (peerPublicKeyPath clientNode);
+              PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName clientNode}.path;
+              AllowedIPs = map (net.cidr.make 128) clientCfg.addresses;
+            };
           })
           ourClientNodes
         else
@@ -230,15 +226,19 @@
             {
               wireguardPeerConfig = let
                 snCfg = wgCfgOf wgCfg.client.via;
-              in {
-                PublicKey = builtins.readFile (peerPublicKeyPath wgCfg.client.via);
-                PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
-                Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
-                # Access to the whole network is routed through our entry node.
-                # TODO this should add any routedAddresses on ANY server in the network, right?
-                # if A entries via B and only C can route 0.0.0.0/0, does that work?
-                AllowedIPs = networkCidrs;
-              };
+              in
+                {
+                  PublicKey = builtins.readFile (peerPublicKeyPath wgCfg.client.via);
+                  PresharedKeyFile = config.rekey.secrets.${peerPresharedKeySecret nodeName wgCfg.client.via}.path;
+                  Endpoint = "${snCfg.server.host}:${toString snCfg.server.port}";
+                  # Access to the whole network is routed through our entry node.
+                  # TODO this should add any routedAddresses on ANY server in the network, right?
+                  # if A entries via B and only C can route 0.0.0.0/0, does that work?
+                  AllowedIPs = networkCidrs;
+                }
+                // optionalAttrs wgCfg.client.keepalive {
+                  PersistentKeepalive = 25;
+                };
             }
           ];
     };
diff --git a/nix/lib.nix b/nix/lib.nix
index 3a1d58a..a6d858e 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -368,6 +368,7 @@ in rec {
         PresharedKey = $serverPsk
         AllowedIPs = ${concatStringsSep ", " networkCidrs}
         Endpoint = ${snCfg.server.host}:${toString snCfg.server.port}
+        PersistentKeepalive = 25
         EOF
       '';
   };