diff --git a/cluster/services/wireguard/default.nix b/cluster/services/wireguard/default.nix
index cae81a8..50b6114 100644
--- a/cluster/services/wireguard/default.nix
+++ b/cluster/services/wireguard/default.nix
@@ -14,12 +14,23 @@ in
 {
   vars = {
     mesh = {
+      checkmate = config.links.mesh-node-checkmate.extra;
       VEGAS = config.links.mesh-node-VEGAS.extra;
       prophet = config.links.mesh-node-prophet.extra;
     };
     inherit meshNet;
   };
   links = {
+    mesh-node-checkmate = {
+      ipv4 = getExtAddr hosts.checkmate;
+      extra = {
+        meshIp = "10.1.1.32";
+        inherit meshNet;
+        pubKey = "fZMB9CDCWyBxPnsugo3Uxm/TIDP3VX54uFoaoC0bP3U=";
+        privKeyFile = ./mesh-keys/checkmate.age;
+        extraRoutes = [];
+      };
+    };
     mesh-node-VEGAS = {
       ipv4 = getExtAddr hosts.VEGAS;
       extra = {
@@ -43,7 +54,7 @@ in
   };
   services.wireguard = {
     nodes = {
-      mesh = [ "VEGAS" "prophet" ];
+      mesh = [ "checkmate" "VEGAS" "prophet" ];
     };
     nixos = {
       mesh = ./mesh.nix;
diff --git a/cluster/services/wireguard/mesh-keys/checkmate.age b/cluster/services/wireguard/mesh-keys/checkmate.age
new file mode 100644
index 0000000..0276227
--- /dev/null
+++ b/cluster/services/wireguard/mesh-keys/checkmate.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A rE85lK37XeM803mXkugmTjfAp3LNqKy2yuGGbY4IOAM
+nDielwqyuaW72OKiUBgFPWK45aZhh768+MskQ5+vhUs
+-> ssh-ed25519 5/zT0w QxXHVLpk2qeXjO8c3a0cQ1oKk3fUn9+yIoHAK1hLYgQ
+d4s/F2ck8Z4AsCQReghxj+M0JjBYKoMpfU+K21AzwFg
+-> ssh-ed25519 TCgorQ lqg5aPJuj5NPEAgAaw52lwpQ++eWPxO4BITdpLKoZFg
+KS0kRB2K/+/+U2xfr2VE09XdjVvIflTweU93Vy7Okr8
+-> ?).-grease =%LA 5cVQvduw
+gs9TPdbaRJVf50LDiUdlg7Vr4LUfg2Kj2bPAbN2f2z4LKDnSbWHkJ6B3EfOMDxTN
+KmX8mGCi7QBGOfb1EY3h5cDgteBXiLN4aLh6kpCe0F3/DQ
+--- vLjmBMfCrvOuF1ww5UcHQAmBUo0LgIuJKcNEDlOCZ3g
+ß&„îd!¾Žqƒ©H<oÄžˆ×“5çå±ƒÐ±Ý0&Ÿýâ¬»¯3~Ù´ð5Œ§Ž÷Ñ¡“Ko)å6³üWÜ°‹
\ No newline at end of file
diff --git a/secrets.nix b/secrets.nix
index 5c1ec48..7dd8f86 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -24,6 +24,7 @@ in with hosts;
   "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/rewind.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/patroni/passwords/superuser.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/wireguard/mesh-keys/checkmate.age".publicKeys = max ++ map systemKeys [ checkmate ];
   "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];