From 07c46beefb92bb39ca934c689352b47e0ab1371c Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Fri, 16 Jan 2026 10:53:41 +0100
Subject: [PATCH] nebula: Fix constant restarts by using fixed paths

---
 modules/system/services/nebula/default.nix | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index 423f5f6..fcd4e5e 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -45,11 +45,24 @@ in
       restartUnits = [ "nebula@mesh.service" ];
     };
 
+    environment.etc = {
+      "nebula/ca.crt" = {
+        source = ./ca.crt;
+        mode = "0440";
+        user = config.systemd.services."nebula@mesh".serviceConfig.User;
+      };
+      "nebula/host.crt" = {
+        source = cfg.certificatePath;
+        mode = "0440";
+        user = config.systemd.services."nebula@mesh".serviceConfig.User;
+      };
+    };
+
     services.nebula.networks.mesh = {
       enable = true;
 
-      ca = ./ca.crt;
-      cert = cfg.certificatePath;
+      ca = "/etc/nebula/ca.crt";
+      cert = "/etc/nebula/host.crt";
       key = config.sops.secrets."nebula/host-key".path;
 
       tun.device = netCfg.overlay.interface;