diff --git a/hosts/nom/net.nix b/hosts/nom/net.nix
index 18c51eb..3d19200 100644
--- a/hosts/nom/net.nix
+++ b/hosts/nom/net.nix
@@ -1,4 +1,4 @@
-{ nodeSecrets, ... }: {
+{nodeSecrets, ...}: {
   networking = {
     hostId = "4313abca";
     wireless.iwd.enable = true;
diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix
index d422661..238f822 100644
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@@ -1,4 +1,4 @@
-{ nodeSecrets, ... }: {
+{nodeSecrets, ...}: {
   networking.hostId = "49ce3b71";
 
   systemd.network.networks = {
diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix
index b0615f8..390fc06 100644
--- a/hosts/zackbiene/hostapd.nix
+++ b/hosts/zackbiene/hostapd.nix
@@ -3,4 +3,82 @@
   config,
   ...
 }: {
+  services.hostapd = {
+    enable = true;
+    interface = "wlan1";
+    ssid = "ðŸ¯ðŸðŸ’¨";
+    # We'll set the options ourselves
+    wpa = false;
+    # Use 2.4GHz, this network is ment for dumb embedded devices
+    hwMode = "g";
+    # Automatically select channel at runtime using acs_survey
+    channel = 0;
+    # Respect the local regulations
+    countryCode = "DE";
+
+    # This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM)
+    extraConfig = ''
+         utf8_ssid=1
+         # Enable QoS, required for 802.11n/ac/ax
+         wmm_enabled=1
+
+         # DFS (IEEE 802.11d, IEEE 802.11h)
+         # Limit to frequencies allowed in country
+         ieee80211d=1
+         # Ensure TX Power and frequencies compliance with local regulatory requirements
+         ieee80211h=1
+
+         # IEEE 802.11ac (WiFi 4)
+         # MIMO and channel bonding support
+         ieee80211n=1
+         # Add wider channel-width support and MU-MIMO (multi user MIMO)
+
+         # IEEE 802.11ac (WiFi 5)
+         ieee80211ac=1
+         ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40]
+      vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
+      vht_oper_chwidth=1
+
+         # WPA3
+      wpa=2
+         wpa_pairwise=CCMP CCMP-256
+         rsn_pairwise=CCMP CCMP-256
+         wpa_key_mgmt=SAE
+         # Require WPA, disable WEP
+         auth_algs=1
+         # Encrypt management frames to protect against deauthentication and similar attacks
+         ieee80211w=2
+         # Force WPA3-Personal without transition
+      transition_disable=0x01
+         # Derive PWE using both hunting-and-pecking loop and hash-to-element
+         sae_pwe=2
+         # SAE can also use wpa_psk, which allows us to use a separate file,
+      # but it restricts the password length to [2,63] which is ok.
+      # This conatins a list of passwords for each client MAC.
+         wpa_psk=${config.rekey.secrets.wifi-stations.path}
+
+         # Use a MAC-address access control list
+         macaddr_acl=1
+         accept_mac_file=/run/hostapd/client-macs
+
+         # Hide network and require devices to know the ssid in advance
+         ignore_broadcast_ssid=1
+         # Don't allow stations to communicate with each other
+         ap_isolate=1
+    '';
+  };
+
+  # Associates each known client to a unique password
+  rekey.secrets.wifi-stations = {
+    file = ./secrets/wifi-stations.age;
+    owner = "hostapd";
+  };
+
+  systemd.services.hostapd = {
+    # Filter the stations to get a list of all known MAC addresses,
+    # which we then use for MAC access control.
+    preStart = lib.mkBefore ''
+      grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-stations.path} > /run/hostapd/client-macs
+    '';
+  };
 }
diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix
index f53a314..7ab4b7f 100644
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@@ -1,4 +1,4 @@
-{ nodeSecrets, ... }: {
+{nodeSecrets, ...}: {
   networking.hostId = "f7e6acdc";
 
   systemd.network.networks = {
@@ -9,12 +9,13 @@
       dhcpV4Config.RouteMetric = 10;
       dhcpV6Config.RouteMetric = 10;
     };
-    #"10-wlan1" = {
-    #  DHCP = "yes";
-    #  matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
-    #  networkConfig.IPv6PrivacyExtensions = "kernel";
-    #  dhcpV4Config.RouteMetric = 40;
-    #  dhcpV6Config.RouteMetric = 40;
-    #};
+    "10-wlan1" = {
+      DHCP = "no";
+      matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
+      networkConfig = {
+        Address = "10.90.0.1/24";
+        Gateway = "10.90.0.1";
+      };
+    };
   };
 }
diff --git a/hosts/zackbiene/secrets/secrets.nix.age b/hosts/zackbiene/secrets/secrets.nix.age
index f966809..f1cb24b 100644
--- a/hosts/zackbiene/secrets/secrets.nix.age
+++ b/hosts/zackbiene/secrets/secrets.nix.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> X25519 mn3B1E/SKmnXS7G9ZZ7ptPc8IHl6NYcDjf+ajDUzKgA
-z0Xvh/24jEWUQVirYqx5Fqft7KeIqsPf//yG+9aWXOA
--> piv-p256 xqSe8Q A6NhXYe87IDSn//lXW6zEiBTcCpwf/6a2EwdqE2zBQlj
-dqCP1xOoqzVgJxwD2uO76Xks7iw0V0MfCrS+0WUYNgE
--> `#7R>-grease Y? }5h 8S8p-),H
-hIhl
---- MaFW7+5LhjSFX0UySze3TAunc1MXTCrH6nOQoLJ1LlY
-ë:•ÃßÜ¨(Ý
-˜»©0‹äKÞ ˜ê“&8#WoæˆWÀn¼óÆ]×5y$Í{—ãkµ[ÄMæ€Zv?	¢–mâPBÊ…2K³=˜¬ézCž[Î(•OjeðEÍã–Ã®vïöþ•«ÀÝ0»¤àØ6*¸‘c]X[ Ã`É†,¦4éB}{‹ÈuâøJ}²+Ñÿº·ŠVe3WíH1Pµ’ÕÅ.©~ð0Í¯GÏÃ×¥<
\ No newline at end of file
+-> X25519 L/8z53x0Z1hDEfMaQWXx9INcP4xgr9kdbv4VN36tuQA
+SQ2x5ojLTi2RfW/TRQAeIhW3X4e8vOyuyJ/SVyCzpVU
+-> piv-p256 xqSe8Q ArVpzc9Y9hcxReTGy03258oJk8y5TzK/UlybJGjLKvVy
+fbwvO09v0yaZmkxjizWS0s62I+XLQ6QYLx2Ll4Pg9/E
+-> Xb-grease ZYp7 f?V1eA };
+gAcuu63D/WfKZKvGHpvNTXph+3FQV0rQgjuWBAEkYTrNjyMp3TkB9s39rL4L
+--- Bod3/cnxhiwoGi3vK3VhkDjD+YuosFPdrC6bUKgScjQ
+›{ƒÐ²àÜ÷šÍ42¶m“¹ü…Ôé‡¸&çÌ±OãˆõÖô™|Ò[+Èm»7©$.Â¡ÝLj¡0T¤uµÜR	tÜÍwS)æšÇOs@<­Eéõ<R>êBì[Ñ»×8¦¨se©8†g,Ì˜²JBœZqq-îi5Y9\&ú/-Y;›ßøt\±‰þPû‚”ÆÙ39&¸Þv©HæÇ9`\ãèåðÌ$`ê “¡¿#y[ø~ãåà
\ No newline at end of file
diff --git a/hosts/zackbiene/secrets/wifi-stations.age b/hosts/zackbiene/secrets/wifi-stations.age
new file mode 100644
index 0000000..1aca425
--- /dev/null
+++ b/hosts/zackbiene/secrets/wifi-stations.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 2ysSXvNBkZGUL0kP0IGg9z/FDClzt7Zk60S5OxJvcXQ
+VkEGZ/Dap1F0iyQCarSRhPSmftWoiI/sQvLM3Gw1/xA
+-> piv-p256 xqSe8Q A1wl54gEsL4r8bnGogruc1/9+2e8YjRfvgYcow+UjdSl
+6Yv9O8D0bq1EaK41WXme02Pu3BGCpHIr6D3igGnHSAE
+-> Bwz)--grease wa,. Empc cCS[Rb"L
+LnHSEKMfcX3o5znCuYuJQb11c3B0Lb+gN0tjng7Iz/Q
+--- eh8DL3+e9zxS1T4Zv1YezTAzbQdrNDwmbTRdFO0cqzQ
+ÒéðÎ4Ëç.‘¦B÷'»OlA„Sg‚¤C'ó+¥z9ÏØãi}¥,õD'~“ŒûƒœlÈê–­¼\O·‰V¯|‡Xu ä9
\ No newline at end of file
diff --git a/hosts/zackbiene/zigbee2mqtt.nix b/hosts/zackbiene/zigbee2mqtt.nix
index 63ed989..93e6e3b 100644
--- a/hosts/zackbiene/zigbee2mqtt.nix
+++ b/hosts/zackbiene/zigbee2mqtt.nix
@@ -14,6 +14,7 @@
   services.zigbee2mqtt = {
     enable = true;
     settings = {
+      advanced.log_level = "warn";
       homeassistant = true;
       permit_join = true;
       serial = {
@@ -24,9 +25,7 @@
         user = "zigbee2mqtt";
         password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
       };
-      frontend = {
-        port = 8072;
-      };
+      frontend.port = 8072;
     };
   };
 }
diff --git a/modules/core/default.nix b/modules/core/default.nix
index 359af33..cdf199f 100644
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@@ -2,6 +2,7 @@
   lib,
   pkgs,
   config,
+  nodeSecrets,
   ...
 }: let
   dummyConfig = pkgs.writeText "configuration.nix" ''
@@ -55,6 +56,12 @@ in {
     firewall.enable = true;
   };
 
+  # Rename known network interfaces
+  services.udev.extraRules = lib.concatStringsSep "\n" (lib.mapAttrsToList (
+      interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME="${interface}"''
+    )
+    nodeSecrets.networking.interfaces);
+
   nix.nixPath = [
     "nixos-config=${dummyConfig}"
     "nixpkgs=/run/current-system/nixpkgs"
diff --git a/nix/apps.nix b/nix/apps.nix
index 389fa1b..8b15aa9 100644
--- a/nix/apps.nix
+++ b/nix/apps.nix
@@ -57,19 +57,19 @@ in
         )
         self.secrets.extraEncryptionPubkeys;
       formatSecret = path: ''
-        '';
+      '';
     in
       mkApp (pkgs.writeShellScript "format-secrets" ''
-        set -euo pipefail
-	      [[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
-	      for f in $(find . -type f -name '*.nix.age'); do
-	        echo "Formatting $f ..."
-	        decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
-            || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
-	        formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
-            || { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
-	      	${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
-            || { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
-	      done
+         set -euo pipefail
+        [[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
+        for f in $(find . -type f -name '*.nix.age'); do
+          echo "Formatting $f ..."
+          decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
+             || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
+          formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
+             || { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
+        	${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
+             || { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
+        done
       '');
   }