diff --git a/tasks/k3s.yaml b/tasks/k3s.yaml
index 51f028f..a40b95e 100644
--- a/tasks/k3s.yaml
+++ b/tasks/k3s.yaml
@@ -17,16 +17,3 @@
     install_kubernetes | default(true) | bool
       and
     kubernetes_installed | default(false) | bool
-
-
-- name: Wireguard Cluster Encryption
-  ansible.builtin.include_tasks:
-    file: k3s/wireguard.yaml
-  when: >
-    install_kubernetes | default(true) | bool
-      and
-    kubernetes_installed | default(false) | bool
-      and
-    not kubernetes_installed_encryption | default(false) | bool
-      and
-    kubernetes_config.cluster.networking.encrypt | default(false) | bool
diff --git a/tasks/k3s/install.yaml b/tasks/k3s/install.yaml
index 5749a31..f6dc31b 100644
--- a/tasks/k3s/install.yaml
+++ b/tasks/k3s/install.yaml
@@ -1,4 +1,11 @@
 ---
+- name: Wireguard Cluster Encryption
+  ansible.builtin.include_tasks:
+    file: k3s/wireguard.yaml
+  when: >
+    not kubernetes_installed_encryption | default(false) | bool
+
+
 - name: Install Software
   ansible.builtin.include_role:
     name: nfc_common
@@ -8,6 +15,7 @@
       - name: curl
       - name: iptables
       - name: jq
+      - name: wireguard
 
 
 - name: Create Required directories
@@ -169,9 +177,6 @@
       INSTALL_K3S_SKIP_DOWNLOAD=true \
       INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \
       /tmp/install.sh
-      # curl -sfL https://get.k3s.io | \
-      # INSTALL_K3S_VERSION="v{{ KubernetesVersion }}{{ KubernetesVersion_k3s_prefix }}" \
-      # sh -
   changed_when: false
   when: kubernetes_config.cluster.prime.name == inventory_hostname
 
@@ -200,6 +205,16 @@
   failed_when: kubernetes_ready_check.rc != 0
 
 
+- name: Enable Cluster Encryption
+  ansible.builtin.command:
+    cmd: kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true,"wireguardEnabledV6":true}}'
+  changed_when: false
+  when: >
+    kubernetes_config.cluster.prime.name == inventory_hostname
+      and
+    kubernetes.networking.encrypt | default(false) | bool
+
+
 - name: Fetch Join Token
   ansible.builtin.slurp:
     src: /var/lib/rancher/k3s/server/token
diff --git a/tasks/k3s/wireguard.yaml b/tasks/k3s/wireguard.yaml
deleted file mode 100644
index 2effdc6..0000000
--- a/tasks/k3s/wireguard.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-- name: Install Wireguard
-  ansible.builtin.apt:
-    name:
-      - wireguard
-    update_cache: false
-  when: >
-    ansible_os_family == 'Debian'
-  #    and
-  #  kubernetes.networking.encrypt | default(false) | bool
-
-
-- name: Enable Cluster Encryption
-  ansible.builtin.command:
-    cmd: kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true,"wireguardEnabledV6":true}}'
-  changed_when: false
-  when: >
-    kubernetes_config.cluster.prime.name == inventory_hostname
-
-- name: Set Kubernetes Encryption Final Install Fact
-  ansible.builtin.set_fact:
-    kubernetes_installed_encryption: true