{config, ...}: let
  inherit (import ../../../modules/nebula/shared.nix) userGroup service;
in {
  sops.secrets."svc-nebula-key" = {
    mode = "0440";
    owner = userGroup;
    group = userGroup;
    restartUnits = [service];
  };

  networking.firewall.allowedUDPPorts = [4242];

  gen.nebula = {
    enable = true;
    enableLighthouse = true;

    cert = ../../../keys/lh-silver.crt;
    key = config.sops.secrets."svc-nebula-key".path;

    extraInbound = [];
  };
}