diff --git a/hosts/desktop/keys/nebula.crt b/hosts/desktop/keys/nebula.crt
index 03613b7..06a8387 100644
--- a/hosts/desktop/keys/nebula.crt
+++ b/hosts/desktop/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGmoECAB2Rlc2t0b3ChBwQFCv76ARiFBGlIaqqGBGsoffSHIBVD/hlbqt7XLMVq
-DE4DhIQzJRBaXtQIwm5gRTI7c0VogiAWuCbaQyz2y1A+OrT1+mI2U2EdQ3X3HPzA
-SkjZQ+zAG4NANTlPvjlzVHXcvSnZpWO0HVFFLlFKkPav33SUb51KaOt+HX0Xyu3r
-3EvhBuRRS6pc6x5/ZawfxWakQwb5dTuhDg==
+MIG9oFeAB2Rlc2t0b3ChBwQFCv76ARijFQwHImNsaWVudAwKc3luY3RoaW5nIoUE
+aYUZ9YYEayh99IcgFUP+GVuq3tcsxWoMTgOEhDMlEFpe1AjCbmBFMjtzRWiCIBa4
+JtpDLPbLUD46tPX6YjZTYR1Ddfcc/MBKSNlD7MAbg0BGe2eiIAFhf0s/Gn54OfAV
+O1Pb2pvUUgg40MJS4+jTyltESru3sku3/obntXS46R8uSb17yAvSGbAtHkm6gfoM
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/laptop/keys/nebula.crt b/hosts/laptop/keys/nebula.crt
index b9041ae..49bd696 100644
--- a/hosts/laptop/keys/nebula.crt
+++ b/hosts/laptop/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGloD+ABmxhcHRvcKEHBAUK/voDGIUEaUsu2oYEayh99IcgFUP+GVuq3tcsxWoM
-TgOEhDMlEFpe1AjCbmBFMjtzRWiCIDQsjID+DOXgSXkAkkIySZqpe8qDwc/RSe9/
-rUqoGr07g0DDH0+/63YpveHA2JKKvl8T5/1kPm2Tp4SKLLy6i5g01dw4QSwaRGlW
-nrPxsi9gbci2Jdw2AiOZmshHA7tJOpoL
+MIG8oFaABmxhcHRvcKEHBAUK/voDGKMVDAciY2xpZW50DApzeW5jdGhpbmcihQRp
+hRn5hgRrKH30hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgNCyM
+gP4M5eBJeQCSQjJJmql7yoPBz9FJ73+tSqgavTuDQNNN/BJUnq2BC7t8SwdZT3nE
+a2N9Ie2JK2TSCJbAaTv5mDQC/ObqSOsJfIX49oRtFmu1apVUcyYzAKq0W8sl3gE=
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/vps-monitor/keys/nebula.crt b/hosts/vps-monitor/keys/nebula.crt
index e57c730..de8ae11 100644
--- a/hosts/vps-monitor/keys/nebula.crt
+++ b/hosts/vps-monitor/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGqoESAC3Zwcy1tb25pdG9yoQcEBQr++gUYhQRpWTmKhgRrKH30hyAVQ/4ZW6re
-1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgEsH4GM7MoMHRA9Ua4racnsVImNb4
-0fhIMdlx2Y8Gx3iDQJo2nQl5Atwka8UCU3FteaMSrgSxQW6HhBE7pwYMhlWdrusn
-KUloRoe8tDpEWEO3qc+iQsgpr5Tuo27QUD77igs=
+MIG2oFCAC3Zwcy1tb25pdG9yoQcEBQr++gUYowoMCCJzZXJ2ZXIihQRphRn9hgRr
+KH30hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgEsH4GM7MoMHR
+A9Ua4racnsVImNb40fhIMdlx2Y8Gx3iDQHJU+DbIPKSh5Uc9/SzKsM3LtUZ+Yt7a
+7gfQQJj3BgY0S5Ae3qa7Uo+zFTo6RtyJpefz4fJI4kS4kw2oUeB/1wo=
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/vps-private/keys/nebula.crt b/hosts/vps-private/keys/nebula.crt
index 12e3761..0fa05bb 100644
--- a/hosts/vps-private/keys/nebula.crt
+++ b/hosts/vps-private/keys/nebula.crt
@@ -1,6 +1,7 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGqoESAC3Zwcy1wcml2YXRloQcEBQr++gIYhQRpSG/KhgRrKH30hyAVQ/4ZW6re
-1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgxxdwQe3CJkEjhN6lB0dWCNqjNug5
-oIN9KQTTTCp0dguDQHynn1xdarsZsfvF6ZJB01HrOVgLs2kVod3ZZZD3L8Fe/hfF
-TryU5SxJ8MH6irDdtgTs+9pU+BaNWms1X4zfkAQ=
+MIHBoFuAC3Zwcy1wcml2YXRloQcEBQr++gIYoxUMByJzZXJ2ZXIMCnN5bmN0aGlu
+ZyKFBGmFGgKGBGsoffSHIBVD/hlbqt7XLMVqDE4DhIQzJRBaXtQIwm5gRTI7c0Vo
+giDHF3BB7cImQSOE3qUHR1YI2qM26Dmgg30pBNNMKnR2C4NAs88H9BxfXXBirWag
+bF3+NXvxSKYrR1xR9Z4yBzl7JHXBRbkG4GJ29k4bL3dXrng1+yRnhZox3txUu2uR
++46ABA==
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/vps-public/keys/nebula.crt b/hosts/vps-public/keys/nebula.crt
index 4ab0405..483979b 100644
--- a/hosts/vps-public/keys/nebula.crt
+++ b/hosts/vps-public/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGpoEOACnZwcy1wdWJsaWOhBwQFCv76BBiFBGlZOWqGBGsoffSHIBVD/hlbqt7X
-LMVqDE4DhIQzJRBaXtQIwm5gRTI7c0VogiB2ciqx2b7d1mUPRnrtM5sN+X4Pohtb
-kBNPPFUDxwX7SoNAWUNPjR8iSib9C52wEmTzolYIvwbAUnOjMytH01xHUgPhiiTv
-Cm4CTtS9vWllCCH682evxo+0I3+PKDRp8DKxCQ==
+MIG1oE+ACnZwcy1wdWJsaWOhBwQFCv76BBijCgwIInNlcnZlciKFBGmFGgaGBGso
+ffSHIBVD/hlbqt7XLMVqDE4DhIQzJRBaXtQIwm5gRTI7c0VogiB2ciqx2b7d1mUP
+RnrtM5sN+X4PohtbkBNPPFUDxwX7SoNAIM5yXTNoekP81KhalEV4A50WmAFINP0a
+EP5Xz4ajYTHuFy/ZOnaKLCCyyRW77mJunUkWdFas6W0GFJwTkbchDA==
 -----END NEBULA CERTIFICATE V2-----
diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index 231ee15..8f15db3 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -15,6 +15,12 @@ in
     enable = lib.mkEnableOption "" // {
       default = netCfg.overlay.implementation == "nebula";
     };
+    groups = lib.mkOption {
+      type = lib.types.nonEmptyListOf lib.types.nonEmptyStr;
+      default =
+        lib.singleton netCfg.overlay.role
+        ++ lib.optional config.custom.services.syncthing.enable "syncthing";
+    };
 
     publicKeyPath = lib.mkOption {
       type = lib.types.path;
diff --git a/modules/system/services/sshd.nix b/modules/system/services/sshd.nix
index f37f707..2996290 100644
--- a/modules/system/services/sshd.nix
+++ b/modules/system/services/sshd.nix
@@ -28,14 +28,11 @@ in
         };
       };
 
-      nebula.networks.mesh.firewall.inbound =
-        netCfg.peers
-        |> lib.filter (node: node.overlay.role == "client")
-        |> lib.map (client: {
-          port = 22;
-          proto = "tcp";
-          host = client.hostName;
-        });
+      nebula.networks.mesh.firewall.inbound = lib.singleton {
+        port = 22;
+        proto = "tcp";
+        group = "client";
+      };
     };
 
     systemd.services.sshd = {
diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix
index e4137c1..c80c0e0 100644
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@@ -118,14 +118,11 @@ in
         };
       };
 
-      nebula.networks.mesh.firewall.inbound =
-        config.services.syncthing.settings.devices
-        |> lib.attrNames
-        |> lib.map (name: {
-          port = cfg.syncPort;
-          proto = "tcp";
-          host = name;
-        });
+      nebula.networks.mesh.firewall.inbound = lib.singleton {
+        port = cfg.syncPort;
+        proto = "tcp";
+        group = "syncthing";
+      };
     };
 
     custom = {
diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix
index bfac5c8..4510fd0 100644
--- a/scripts/nebula-regen-host-cert.nix
+++ b/scripts/nebula-regen-host-cert.nix
@@ -15,6 +15,7 @@ pkgs.writeShellApplication {
 
     host="$1"
     address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
+    groups="$(nix eval ".#nixosConfigurations.$host.config.custom.services.nebula.groups" --apply 'builtins.concatStringsSep ","')"
     ca_cert='modules/system/services/nebula/ca.crt'
     host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
     host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
@@ -35,6 +36,6 @@ pkgs.writeShellApplication {
     fi
 
     rm -f "$host_cert"
-    nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
+    nebula-cert sign -name "$host" -networks "$address" -groups "$groups" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
   '';
 }