diff --git a/hosts/desktop/default.nix b/hosts/desktop/default.nix
index 1a3f192..503f282 100644
--- a/hosts/desktop/default.nix
+++ b/hosts/desktop/default.nix
@@ -33,6 +33,7 @@
       nebula.node = {
         enable = true;
         address = "10.254.250.1";
+        isClient = true;
       };
       syncthing = {
         enable = true;
diff --git a/hosts/laptop/default.nix b/hosts/laptop/default.nix
index 4eabbf8..73a6c22 100644
--- a/hosts/laptop/default.nix
+++ b/hosts/laptop/default.nix
@@ -36,6 +36,7 @@
       nebula.node = {
         enable = true;
         address = "10.254.250.3";
+        isClient = true;
       };
       syncthing = {
         enable = true;
diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix
index e63db19..7b2c95d 100644
--- a/hosts/vps-private/default.nix
+++ b/hosts/vps-private/default.nix
@@ -34,8 +34,9 @@
         nebula.node = {
           enable = true;
           address = "10.254.250.2";
-          isLighthouse = true;
           routableAddress = "49.13.231.235";
+          isLighthouse = true;
+          isServer = true;
         };
 
         syncthing = {
diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index eb080dc..f31502c 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -6,49 +6,58 @@
 }:
 let
   cfg = config.custom.services.nebula.node;
+  peers = config.custom.services.nebula.peers;
 
   hostname = config.networking.hostName;
 
-  nodes =
-    self.nixosConfigurations
-    |> lib.filterAttrs (name: _: name != hostname)
-    |> lib.attrValues
-    |> lib.map (value: value.config.custom.services.nebula.node)
-    |> lib.filter (node: node.enable);
+  lighthouses = peers |> lib.filter (node: node.isLighthouse);
 
-  lighthouses = nodes |> lib.filter (node: node.isLighthouse);
-
-  routableNodes = nodes |> lib.filter (node: node.routableAddress != null);
+  routablePeers = peers |> lib.filter (node: node.routableAddress != null);
 in
 {
-  options.custom.services.nebula.node = {
-    enable = lib.mkEnableOption "";
-    name = lib.mkOption {
-      type = lib.types.nonEmptyStr;
-      default = config.networking.hostName;
-    };
-    address = lib.mkOption {
-      type = lib.types.nonEmptyStr;
-      default = "";
-    };
-    isLighthouse = lib.mkEnableOption "";
+  options.custom.services.nebula = {
+    node = {
+      enable = lib.mkEnableOption "";
+      name = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        default = hostname;
+      };
+      address = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        default = "";
+      };
+      isLighthouse = lib.mkEnableOption "";
+      isServer = lib.mkEnableOption "";
+      isClient = lib.mkEnableOption "";
 
-    routableAddress = lib.mkOption {
-      type = lib.types.nullOr lib.types.nonEmptyStr;
-      default = null;
-    };
-    routablePort = lib.mkOption {
-      type = lib.types.nullOr lib.types.port;
-      default = if cfg.routableAddress != null then 47141 else null;
+      routableAddress = lib.mkOption {
+        type = lib.types.nullOr lib.types.nonEmptyStr;
+        default = null;
+      };
+      routablePort = lib.mkOption {
+        type = lib.types.nullOr lib.types.port;
+        default = if cfg.routableAddress != null then 47141 else null;
+      };
+
+      publicKeyPath = lib.mkOption {
+        type = lib.types.path;
+        default = "${self}/hosts/${hostname}/keys/nebula.pub";
+      };
+      certificatePath = lib.mkOption {
+        type = lib.types.path;
+        default = "${self}/hosts/${hostname}/keys/nebula.crt";
+      };
     };
 
-    publicKeyPath = lib.mkOption {
-      type = lib.types.path;
-      default = "${self}/hosts/${hostname}/keys/nebula.pub";
-    };
-    certificatePath = lib.mkOption {
-      type = lib.types.path;
-      default = "${self}/hosts/${hostname}/keys/nebula.crt";
+    peers = lib.mkOption {
+      type = lib.types.anything;
+      default =
+        self.nixosConfigurations
+        |> lib.filterAttrs (name: _: name != hostname)
+        |> lib.attrValues
+        |> lib.map (value: value.config.custom.services.nebula.node)
+        |> lib.filter (node: node.enable);
+      readOnly = true;
     };
   };
 
@@ -80,7 +89,7 @@ in
       );
 
       staticHostMap =
-        routableNodes
+        routablePeers
         |> lib.map (lighthouse: {
           name = lighthouse.address;
           value = lib.singleton "${lighthouse.routableAddress}:${toString lighthouse.routablePort}";
@@ -89,14 +98,14 @@ in
 
       firewall = {
         outbound = lib.singleton {
-          host = "any";
           port = "any";
           proto = "any";
+          host = "any";
         };
         inbound = lib.singleton {
-          host = "any";
           port = "any";
-          proto = "any";
+          proto = "icmp";
+          host = "any";
         };
       };
 
diff --git a/modules/system/services/nebula/sshd.nix b/modules/system/services/nebula/sshd.nix
index 857611f..3164c45 100644
--- a/modules/system/services/nebula/sshd.nix
+++ b/modules/system/services/nebula/sshd.nix
@@ -16,14 +16,25 @@ in
   config = lib.mkIf (cfg.enable && cfg.sshd.enable) {
     meta.ports.tcp = [ cfg.sshd.port ];
 
-    services.openssh = {
-      enable = true;
-      openFirewall = false;
-      ports = [ ];
-      listenAddresses = lib.singleton {
-        addr = cfg.address;
-        inherit (cfg.sshd) port;
+    services = {
+      openssh = {
+        enable = true;
+        openFirewall = false;
+        ports = [ ];
+        listenAddresses = lib.singleton {
+          addr = cfg.address;
+          inherit (cfg.sshd) port;
+        };
       };
+
+      nebula.networks.mesh.firewall.inbound =
+        config.custom.services.nebula.peers
+        |> lib.filter (node: node.isClient)
+        |> lib.map (nebula: {
+          port = "22";
+          proto = "tcp";
+          host = nebula.name;
+        });
     };
 
     systemd.services.sshd = {