diff --git a/flake.nix b/flake.nix
index 0551f6a..72cf628 100644
--- a/flake.nix
+++ b/flake.nix
@@ -78,8 +78,9 @@
               };
 
               key = mkOption {
-                type = types.str;
-                description = "Obfuscation key (must match on both sides)";
+                type = types.nullOr types.str;
+                default = null;
+                description = "Obfuscation key (must match on both sides; required when keyFile is not set)";
                 example = "your_secret_key";
               };
 
@@ -202,9 +203,17 @@
               }
               {
                 assertion = all (inst:
-                  inst.enable -> (inst.key != "" || inst.keyFile != null)
+                  inst.enable ->
+                    (
+                      inst.keyFile != null
+                      || (
+                        inst.key != null
+                        && builtins.stringLength inst.key >= 1
+                        && builtins.stringLength inst.key <= 255
+                      )
+                    )
                 ) (attrValues cfg.instances);
-                message = "Each enabled wg-obfuscator instance must have either 'key' or 'keyFile' set";
+                message = "Each enabled wg-obfuscator instance must have either 'keyFile' set, or 'key' set to a string of length 1–255 characters";
               }
             ];
 
@@ -263,7 +272,7 @@
                       max-clients = ${toString inst.maxClients}
                       idle-timeout = ${toString inst.idleTimeout}
                       max-dummy = ${toString inst.maxDummy}
-                    '') (attrValues instances)
+                    '') instances
                   )}
                   EOF