diff --git a/Makefile b/Makefile
index 4115f3e..3fddf73 100644
--- a/Makefile
+++ b/Makefile
@@ -44,6 +44,8 @@ setup:
 	CELL_DOMAIN=$(or $(CELL_DOMAIN),cell) \
 	VPN_ADDRESS=$(or $(VPN_ADDRESS),10.0.0.1/24) \
 	WG_PORT=$(or $(WG_PORT),51820) \
+	WG_PRIVATE_KEY="$(WG_PRIVATE_KEY)" \
+	WG_PUBLIC_KEY="$(WG_PUBLIC_KEY)" \
 	python3 scripts/setup_cell.py
 
 init-peers:
diff --git a/scripts/setup_cell.py b/scripts/setup_cell.py
index ef69762..148527d 100644
--- a/scripts/setup_cell.py
+++ b/scripts/setup_cell.py
@@ -115,13 +115,22 @@ def generate_wg_keys():
         return open(priv_path).read().strip(), open(pub_path).read().strip()
     print('[INFO]    Generating WireGuard server keys...')
     os.makedirs(keys_dir, exist_ok=True)
-    # Try wg binary first; fall back to Python cryptography library
-    try:
-        priv = subprocess.check_output(['wg', 'genkey']).decode().strip()
-        pub = subprocess.check_output(['wg', 'pubkey'], input=priv.encode()).decode().strip()
-    except FileNotFoundError:
-        print('[INFO]    wg not found — using Python cryptography library')
-        priv, pub = _gen_keys_python()
+
+    # Allow caller to inject pre-generated keys (useful when wg and cryptography are absent)
+    env_priv = os.environ.get('WG_PRIVATE_KEY', '').strip()
+    env_pub = os.environ.get('WG_PUBLIC_KEY', '').strip()
+    if env_priv and env_pub:
+        print('[INFO]    Using WG_PRIVATE_KEY / WG_PUBLIC_KEY from environment')
+        priv, pub = env_priv, env_pub
+    else:
+        # Try wg binary, then Python cryptography library
+        try:
+            priv = subprocess.check_output(['wg', 'genkey']).decode().strip()
+            pub = subprocess.check_output(['wg', 'pubkey'], input=priv.encode()).decode().strip()
+        except FileNotFoundError:
+            print('[INFO]    wg not found — using Python cryptography library')
+            priv, pub = _gen_keys_python()
+
     with open(priv_path, 'w') as f:
         f.write(priv + '\n')
     os.chmod(priv_path, 0o600)