diff --git a/Makefile b/Makefile
index 845e49c..3eaa426 100644
--- a/Makefile
+++ b/Makefile
@@ -20,4 +20,4 @@ clean:
 	helm --namespace $(HELM_NAMESPACE) del $(HELM_RELEASE_NAME)
 
 docs-update:
-	docker run --rm --volume "$$PWD:/helm-docs" jnorwood/helm-docs:latest
+	docker run --rm --volume "$$PWD:/helm-docs" --network host jnorwood/helm-docs:latest
diff --git a/helm/wireguard/Chart.yaml b/helm/wireguard/Chart.yaml
index 051b432..eee9228 100644
--- a/helm/wireguard/Chart.yaml
+++ b/helm/wireguard/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: wireguard
 description: A Helm chart for managing a wireguard vpn in kubernetes
 type: application
-version: 0.13.0
+version: 0.14.0
 appVersion: "0.0.0"
 maintainers:
   - name: bryopsida
diff --git a/helm/wireguard/README.md b/helm/wireguard/README.md
index c9ce0ce..9343fb4 100644
--- a/helm/wireguard/README.md
+++ b/helm/wireguard/README.md
@@ -1,6 +1,6 @@
 # wireguard
 
-![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
+![Version: 0.14.0](https://img.shields.io/badge/Version-0.14.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
 
 A Helm chart for managing a wireguard vpn in kubernetes
 
@@ -14,12 +14,14 @@ A Helm chart for managing a wireguard vpn in kubernetes
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"app":"{{ .Release.Name }}-wireguard","role":"vpn"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Set pod affinity or antiAffinity |
 | autoscaling.enabled | bool | `true` |  |
 | autoscaling.maxReplicas | int | `10` |  |
 | autoscaling.minReplicas | int | `3` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `75` |  |
 | configSecretName | string | `nil` | If provided, this secret will be used instead of the config created from the helm value scope |
 | configSecretProperty | string | `"wg0.conf"` | The property/key on the secret holding the wireguard configuration file |
+| daemonSet | bool | `false` | Run as a DaemonSet instead of Deployment |
 | deploymentStrategy.rollingUpdate.maxSurge | int | `1` |  |
 | deploymentStrategy.rollingUpdate.maxUnavailable | int | `0` |  |
 | deploymentStrategy.type | string | `"RollingUpdate"` |  |
@@ -47,6 +49,7 @@ A Helm chart for managing a wireguard vpn in kubernetes
 | keygenJob.podSecurityContext.fsGroupChangePolicy | string | `"Always"` |  |
 | keygenJob.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | labels | object | `{}` |  |
+| nodeSelector | object | `{}` | Set pod nodeSelector, a simplified version of affinity |
 | podAnnotations | object | `{}` |  |
 | replicaCount | int | `3` |  |
 | resources.limits.cpu | string | `"100m"` |  |
@@ -64,11 +67,12 @@ A Helm chart for managing a wireguard vpn in kubernetes
 | service.nodePort | int | `31820` | Node port, only valid with service type: NodePort |
 | service.port | int | `51820` | Service port, default is 51820 UDP |
 | service.type | string | `"LoadBalancer"` | Service type, to keep internal to cluster use ClusterIP or NodePort |
+| tolerations | list | `[]` | Set pod tolerations |
 | volumeMounts | object | `{}` | Passthrough pod volume mounts |
 | volumes | object | `{}` | Passthrough pod volumes |
 | wireguard.clients | list | `[]` | A collection of clients that will be added to wg0.conf, accepts objects with keys PublicKey and AllowedIPs, stored in secret |
 | wireguard.serverAddress | string | `"10.34.0.1/24"` | Address of the VPN server |
-| wireguard.serverCidr | string | `"10.34.0.0/24"` |  |
+| wireguard.serverCidr | string | `"10.34.0.0/24"` | Subnet for your VPN, take care not to clash with cluster POD cidr |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/helm/wireguard/templates/deployment.yaml b/helm/wireguard/templates/deployment.yaml
index 1422d31..f976fa6 100644
--- a/helm/wireguard/templates/deployment.yaml
+++ b/helm/wireguard/templates/deployment.yaml
@@ -1,6 +1,6 @@
 {{- define "execprobe" -}}
 exec:
-  command: 
+  command:
   - /bin/sh
   - -c
   - 'ip link show dev wg0 | grep -s up'
@@ -35,7 +35,11 @@ privileged: true
 
 ---
 apiVersion: apps/v1
+{{- if .Values.daemonSet }}
+kind: DaemonSet
+{{- else }}
 kind: Deployment
+{{- end }}
 metadata:
   name: "{{ .Release.Name }}-wireguard"
   labels:
@@ -45,15 +49,17 @@ metadata:
     {{ $key }}: {{ $value | quote }}
     {{- end }}
     {{- end }}
-    
+
 spec:
-  {{- if not .Values.autoscaling.enabled }}
+  {{- if and (not .Values.autoscaling.enabled) (not .Values.daemonSet) }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
   selector:
     matchLabels:
       app: "{{ .Release.Name }}-wireguard"
+  {{- if not .Values.daemonSet }}
   strategy: {{ .Values.deploymentStrategy | toYaml | nindent 4 }}
+  {{- end }}
   template:
     metadata:
       annotations:
@@ -103,6 +109,17 @@ spec:
       imagePullSecrets:
         - name: "{{ .Values.image.pullSecret }}"
       {{- end }}
+      {{- if .Values.affinity }}
+      affinity:
+        {{- $affinity := .Values.affinity | toYaml }}
+        {{ tpl $affinity . | nindent 8 | trim }}
+      {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{ .Values.nodeSelector | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations: {{ .Values.tolerations | toYaml | nindent 8 }}
+      {{- end }}
       initContainers:
         - name: sysctls
           image: busybox:stable
diff --git a/helm/wireguard/values.yaml b/helm/wireguard/values.yaml
index a3d12d5..b7b2df0 100644
--- a/helm/wireguard/values.yaml
+++ b/helm/wireguard/values.yaml
@@ -1,3 +1,5 @@
+# -- Run as a DaemonSet instead of Deployment
+daemonSet: false
 image:
   repository: ghcr.io/bryopsida/wireguard
   tag: main
@@ -31,7 +33,7 @@ labels: {}
 wireguard:
   # -- Address of the VPN server
   serverAddress: 10.34.0.1/24
-  #  -- Subnet for your VPN, take care not to clash with cluster POD cidr
+  # -- Subnet for your VPN, take care not to clash with cluster POD cidr
   serverCidr: 10.34.0.0/24
   # -- A collection of clients that will be added to wg0.conf, accepts objects with keys PublicKey and AllowedIPs, stored in secret
   clients: []
@@ -63,7 +65,7 @@ resources:
 # -- Override the default runtime class of the container, if not provided `runc` will most likely be used
 runtimeClassName: ~
 deploymentStrategy:
-  type: 'RollingUpdate'
+  type: "RollingUpdate"
   rollingUpdate:
     maxUnavailable: 0
     maxSurge: 1
@@ -90,3 +92,25 @@ disableConfigManagement: false
 volumes: {}
 # -- Passthrough pod volume mounts
 volumeMounts: {}
+# -- Set pod affinity or antiAffinity
+affinity:
+  # nodeAffinity:
+  #   requiredDuringSchedulingIgnoredDuringExecution:
+  #     nodeSelectorTerms:
+  #     - matchExpressions:
+  #       - key: "example.com/vpn"
+  #         operator: Exists
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchLabels:
+            app: "{{ .Release.Name }}-wireguard"
+            role: vpn
+        topologyKey: kubernetes.io/hostname
+# -- Set pod nodeSelector, a simplified version of affinity
+nodeSelector: {}
+  # example.com/vpn: ""
+# -- Set pod tolerations
+tolerations: []
+  # - effect: NoSchedule
+  #   operator: Exists