diff --git a/nixos/hosts/eidola/nebula.nix b/nixos/hosts/eidola/nebula.nix
new file mode 100644
index 0000000..5bee2da
--- /dev/null
+++ b/nixos/hosts/eidola/nebula.nix
@@ -0,0 +1,48 @@
+{config, ...}: let
+  netName = "m-infra";
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
+  userGroup = "nebula-${netName}";
+  lhs = {"10.13.0.1" = ["min.rip:4242"];};
+  lhsInt = builtins.attrNames lhs;
+in {
+  sops.secrets."nebula-key" = {
+    mode = "0440";
+    owner = userGroup;
+    group = userGroup;
+  };
+
+  services.nebula.networks.${netName} = {
+    ca = ../../keys/ca.crt;
+    cert = ../../keys/n-srv-eidola.crt;
+    key = config.sops.secrets."nebula-key".path;
+
+    lighthouses = lhsInt;
+    relays = lhsInt;
+    staticHostMap = lhs;
+
+    settings.punchy.punch = true;
+
+    firewall.outbound = [
+      {
+        port = "any";
+        proto = "any";
+        host = "any";
+      }
+    ];
+
+    firewall.inbound = [
+      # Allow pings from anyone
+      {
+        port = "any";
+        proto = "icmp";
+        host = "any";
+      }
+      # Allow SSH from `internal` group
+      {
+        port = 22;
+        proto = "tcp";
+        groups = ["internal"];
+      }
+    ];
+  };
+}