diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index 54c0884..eb080dc 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -61,11 +61,11 @@ in
     };
 
     sops.secrets."nebula/host-key" = {
-      owner = config.users.users.nebula-main.name;
-      restartUnits = [ "nebula@main.service" ];
+      owner = config.users.users.nebula-mesh.name;
+      restartUnits = [ "nebula@mesh.service" ];
     };
 
-    services.nebula.networks.main = {
+    services.nebula.networks.mesh = {
       enable = true;
 
       ca = ./ca.crt;
@@ -106,5 +106,7 @@ in
         logging.level = "warning";
       };
     };
+
+    networking.firewall.trustedInterfaces = [ "nebula.mesh" ];
   };
 }
diff --git a/modules/system/services/nebula/sshd.nix b/modules/system/services/nebula/sshd.nix
new file mode 100644
index 0000000..857611f
--- /dev/null
+++ b/modules/system/services/nebula/sshd.nix
@@ -0,0 +1,34 @@
+{ config, lib, ... }:
+let
+  cfg = config.custom.services.nebula.node;
+in
+{
+  options.custom.services.nebula.node.sshd = {
+    enable = lib.mkEnableOption "" // {
+      default = true;
+    };
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 22;
+    };
+  };
+
+  config = lib.mkIf (cfg.enable && cfg.sshd.enable) {
+    meta.ports.tcp = [ cfg.sshd.port ];
+
+    services.openssh = {
+      enable = true;
+      openFirewall = false;
+      ports = [ ];
+      listenAddresses = lib.singleton {
+        addr = cfg.address;
+        inherit (cfg.sshd) port;
+      };
+    };
+
+    systemd.services.sshd = {
+      requires = [ "nebula@mesh.service" ];
+      after = [ "nebula@mesh.service" ];
+    };
+  };
+}