{config, ...}: let
  inherit (import ../../modules/nebula/shared.nix) userGroup;
in {
  sops.secrets."nebula-key" = {
    mode = "0440";
    owner = userGroup;
    group = userGroup;
  };

  # TODO: why?
  networking.firewall.allowedUDPPorts = [4242];

  gen.nebula = {
    enable = true;
    enableLighthouse = false;

    cert = ../../keys/n-usr-min-fwl.crt;
    key = config.sops.secrets."nebula-key".path;

    extraInbound = [
      # Allow iperf3 from anyone
      {
        port = 5201;
        proto = "any";
        host = "any";
      }
    ];
  };
}