diff --git a/hosts/nixos/hs/system.nix b/hosts/nixos/hs/system.nix
index d48926a..1714895 100644
--- a/hosts/nixos/hs/system.nix
+++ b/hosts/nixos/hs/system.nix
@@ -200,7 +200,7 @@
   services.nfs-custom = {
     enable = true;
     exportPath = "/mnt/storage/Media";
-    allowedNetwork = "10.2.2.0/24";
+    allowedNetworks = [ "10.1.1.0/24" "10.2.2.0/24" ];  # LAN and WireGuard
   };
 
   # Login display with SMART disk health status
diff --git a/hosts/nixos/thinkpad/system.nix b/hosts/nixos/thinkpad/system.nix
index cfaa893..1bc9756 100644
--- a/hosts/nixos/thinkpad/system.nix
+++ b/hosts/nixos/thinkpad/system.nix
@@ -321,7 +321,8 @@
   # AutoFS auto-mounting for remote NFS shares
   services.autofs-custom = {
     enable = true;
-    remoteHost = "10.2.2.20";
+    remoteHost = "lan.hs.yanlincs.com";  # Prefer LAN when at home
+    replicas = [ "10.2.2.20" ];  # Fallback to WireGuard when remote
     remotePath = "/mnt/storage/Media";
     mountPoint = "/mnt/hs-media";
   };
diff --git a/modules/autofs.nix b/modules/autofs.nix
index 0996aa3..ce45f8c 100644
--- a/modules/autofs.nix
+++ b/modules/autofs.nix
@@ -12,7 +12,7 @@ in
 
     remoteHost = mkOption {
       type = types.str;
-      description = "Remote NFS server hostname or IP";
+      description = "Primary remote NFS server hostname or IP";
     };
 
     remotePath = mkOption {
@@ -24,15 +24,28 @@ in
       type = types.str;
       description = "Local mount point";
     };
+
+    replicas = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = "Replica server hostnames or IPs for failover (in order of preference)";
+    };
   };
 
   config = mkIf cfg.enable {
     services.autofs = {
       enable = true;
       timeout = 300;
-      autoMaster = ''
-        ${cfg.mountPoint} -fstype=nfs4,rw,soft,intr,noatime ${cfg.remoteHost}:${cfg.remotePath}
-      '';
+      autoMaster =
+        let
+          # Build server list: primary host followed by replicas
+          allHosts = [ cfg.remoteHost ] ++ cfg.replicas;
+          # Format as "host1:/path host2:/path host3:/path"
+          locations = concatStringsSep " " (map (host: "${host}:${cfg.remotePath}") allHosts);
+        in
+        ''
+          ${cfg.mountPoint} -fstype=nfs4,rw,soft,intr,noatime ${locations}
+        '';
     };
 
     systemd.tmpfiles.rules = [
diff --git a/modules/nfs.nix b/modules/nfs.nix
index d1af11d..1669848 100644
--- a/modules/nfs.nix
+++ b/modules/nfs.nix
@@ -15,10 +15,10 @@ in
       description = "Path to export via NFS";
     };
 
-    allowedNetwork = mkOption {
-      type = types.str;
-      default = "10.2.2.0/24";
-      description = "Network allowed to access the export (CIDR)";
+    allowedNetworks = mkOption {
+      type = types.listOf types.str;
+      default = [ "10.2.2.0/24" ];
+      description = "Networks allowed to access the export (CIDR)";
     };
   };
 
@@ -26,7 +26,7 @@ in
     services.nfs.server = {
       enable = true;
       exports = ''
-        ${cfg.exportPath} ${cfg.allowedNetwork}(rw,sync,no_subtree_check,no_root_squash)
+        ${cfg.exportPath} ${concatStringsSep " " (map (net: "${net}(rw,sync,no_subtree_check,no_root_squash)") cfg.allowedNetworks)}
       '';
     };
   };