nebula: Switch to group-based firewall rules

modules/system/services/nebula/default.nix

@@ -15,6 +15,12 @@ in
     enable = lib.mkEnableOption "" // {
       default = netCfg.overlay.implementation == "nebula";
     };
+    groups = lib.mkOption {
+      type = lib.types.nonEmptyListOf lib.types.nonEmptyStr;
+      default =
+        lib.singleton netCfg.overlay.role
+        ++ lib.optional config.custom.services.syncthing.enable "syncthing";
+    };
 
     publicKeyPath = lib.mkOption {
       type = lib.types.path;

modules/system/services/sshd.nix

@@ -28,14 +28,11 @@ in
         };
       };
 
-      nebula.networks.mesh.firewall.inbound =
-        netCfg.peers
-        |> lib.filter (node: node.overlay.role == "client")
-        |> lib.map (client: {
-          port = 22;
-          proto = "tcp";
-          host = client.hostName;
-        });
+      nebula.networks.mesh.firewall.inbound = lib.singleton {
+        port = 22;
+        proto = "tcp";
+        group = "client";
+      };
     };
 
     systemd.services.sshd = {

modules/system/services/syncthing.nix

@@ -118,14 +118,11 @@ in
         };
       };
 
-      nebula.networks.mesh.firewall.inbound =
-        config.services.syncthing.settings.devices
-        |> lib.attrNames
-        |> lib.map (name: {
-          port = cfg.syncPort;
-          proto = "tcp";
-          host = name;
-        });
+      nebula.networks.mesh.firewall.inbound = lib.singleton {
+        port = cfg.syncPort;
+        proto = "tcp";
+        group = "syncthing";
+      };
     };
 
     custom = {