diff --git a/configs/pepe/home-assistant/zigbee2mqtt.nix b/configs/pepe/home-assistant/zigbee2mqtt.nix
index 5088bc1..b27df11 100644
--- a/configs/pepe/home-assistant/zigbee2mqtt.nix
+++ b/configs/pepe/home-assistant/zigbee2mqtt.nix
@@ -9,7 +9,12 @@
     ./zigbee2mqtt/doors.nix
   ];
 
-  services.zigbee2mqtt.enable = true;
-  services.zigbee2mqtt.password = lib.fileContents <secrets/zigbee/password>;
+  services.zigbee2mqtt = {
+    enable = true;
+    mqttPassword = lib.fileContents <secrets/zigbee/password>;
+    networkKey = import <secrets/home-assistant/zigbee/networkKey>;
+    # only turn on for new devices, usually turn of for security reasons.
+    discover = false;
+  };
 
 }
diff --git a/configs/pepe/home-assistant/zigbee2mqtt/motion.nix b/configs/pepe/home-assistant/zigbee2mqtt/motion.nix
index 0bf67b7..188cbd1 100644
--- a/configs/pepe/home-assistant/zigbee2mqtt/motion.nix
+++ b/configs/pepe/home-assistant/zigbee2mqtt/motion.nix
@@ -26,7 +26,7 @@ let
     };
     "motion_sensor_6" = {
       id = "0x00158d0002f9a5cb";
-      groups = [ "floor_room" "floor_room_present" ];
+      groups = [ ];
     };
     "motion_sensor_7" = {
       id = "0x00158d0002f9a6aa";
diff --git a/configs/pepe/home-assistant/zigbee2mqtt/service.nix b/configs/pepe/home-assistant/zigbee2mqtt/service.nix
index d7cc72d..62ee4f8 100644
--- a/configs/pepe/home-assistant/zigbee2mqtt/service.nix
+++ b/configs/pepe/home-assistant/zigbee2mqtt/service.nix
@@ -8,7 +8,7 @@ let
 
   device = "/dev/ttyACM0";
   dataFolder = "/srv/zigbee/data";
-  configurationYaml = pkgs.writeText "configuration.yml" (builtins.toJSON {
+  zigbeeConfiguration = {
 
     # Home Assistant integration (MQTT discovery)
     homeassistant = false;
@@ -25,7 +25,7 @@ let
       server = "mqtt://127.0.0.1:1883";
       # MQTT server authentication, uncomment if required:
       user = "zigbee";
-      password = cfg.password;
+      password = cfg.mqttPassword;
     };
 
     # Serial settings
@@ -36,19 +36,32 @@ let
     };
 
     devices = cfg.devices;
+  } // (lib.optionalAttrs (cfg.networkKey != null) {
+    advanced.network_key = cfg.networkKey;
   });
+  configurationYaml =
+    pkgs.writeText "configuration.yml" (builtins.toJSON zigbeeConfiguration);
 
 in {
 
   options.services.zigbee2mqtt = {
     enable = mkEnableOption "enable services.zigbee2mqtt";
     discover = mkEnableOption "discover new devices";
-    password = mkOption {
+    mqttPassword = mkOption {
       type = with types; str;
       description = ''
         password of the mqtt server.
       '';
     };
+    networkKey = mkOption {
+      type = with types; nullOr (listOf int);
+      description = ''
+        you own network key,
+        16 numbers between 0 and 255
+        see https://www.zigbee2mqtt.io/how_tos/how_to_secure_network.html
+      '';
+      example = [7 3 5 7 9 11 13 15 0 2 4 6 8 11 12 13];
+    };
     devices = mkOption {
       type = with types; attrs;
       description = ''