diff --git a/hosts/desktop/keys/nebula.crt b/hosts/desktop/keys/nebula.crt
index 862f271..03613b7 100644
--- a/hosts/desktop/keys/nebula.crt
+++ b/hosts/desktop/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIG7oFWAB2Rlc2t0b3ChBwQFCv76ARijEwwGY2xpZW50DAlzeW5jdGhpbmeFBGmF
-Hk6GBGsoffSHIBVD/hlbqt7XLMVqDE4DhIQzJRBaXtQIwm5gRTI7c0VogiAWuCba
-Qyz2y1A+OrT1+mI2U2EdQ3X3HPzASkjZQ+zAG4NAT5t62Hk0O6IlwmVM0e99G/s2
-GwO6Y2TXbl+g1T8eat4upiIftMkNdBJVgiDz7XbE4zgpfUuTv1LCzrNwipc6Cg==
+MIGmoECAB2Rlc2t0b3ChBwQFCv76ARiFBGlIaqqGBGsoffSHIBVD/hlbqt7XLMVq
+DE4DhIQzJRBaXtQIwm5gRTI7c0VogiAWuCbaQyz2y1A+OrT1+mI2U2EdQ3X3HPzA
+SkjZQ+zAG4NANTlPvjlzVHXcvSnZpWO0HVFFLlFKkPav33SUb51KaOt+HX0Xyu3r
+3EvhBuRRS6pc6x5/ZawfxWakQwb5dTuhDg==
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/laptop/keys/nebula.crt b/hosts/laptop/keys/nebula.crt
index 31dfc61..b9041ae 100644
--- a/hosts/laptop/keys/nebula.crt
+++ b/hosts/laptop/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIG6oFSABmxhcHRvcKEHBAUK/voDGKMTDAZjbGllbnQMCXN5bmN0aGluZ4UEaYUe
-UoYEayh99IcgFUP+GVuq3tcsxWoMTgOEhDMlEFpe1AjCbmBFMjtzRWiCIDQsjID+
-DOXgSXkAkkIySZqpe8qDwc/RSe9/rUqoGr07g0DhbaORjxVBfwI9Un1woUJPv2lA
-7/0O5G29fhEGsyR7N4e4ZFeHPTbCXQYKVJIo0B6nM12kriUCTymrtjMJjjQB
+MIGloD+ABmxhcHRvcKEHBAUK/voDGIUEaUsu2oYEayh99IcgFUP+GVuq3tcsxWoM
+TgOEhDMlEFpe1AjCbmBFMjtzRWiCIDQsjID+DOXgSXkAkkIySZqpe8qDwc/RSe9/
+rUqoGr07g0DDH0+/63YpveHA2JKKvl8T5/1kPm2Tp4SKLLy6i5g01dw4QSwaRGlW
+nrPxsi9gbci2Jdw2AiOZmshHA7tJOpoL
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/vps-monitor/keys/nebula.crt b/hosts/vps-monitor/keys/nebula.crt
index f128706..e57c730 100644
--- a/hosts/vps-monitor/keys/nebula.crt
+++ b/hosts/vps-monitor/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIG0oE6AC3Zwcy1tb25pdG9yoQcEBQr++gUYowgMBnNlcnZlcoUEaYUeVoYEayh9
-9IcgFUP+GVuq3tcsxWoMTgOEhDMlEFpe1AjCbmBFMjtzRWiCIBLB+BjOzKDB0QPV
-GuK2nJ7FSJjW+NH4SDHZcdmPBsd4g0Ctqv9hgMdJuXpKgy0HIU7eRhjMYDr22AUb
-e5nHcocsCe3mqPvHeTOPpluPeQcVXBnalFXwUHbpYmV/8pZFiNkI
+MIGqoESAC3Zwcy1tb25pdG9yoQcEBQr++gUYhQRpWTmKhgRrKH30hyAVQ/4ZW6re
+1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgEsH4GM7MoMHRA9Ua4racnsVImNb4
+0fhIMdlx2Y8Gx3iDQJo2nQl5Atwka8UCU3FteaMSrgSxQW6HhBE7pwYMhlWdrusn
+KUloRoe8tDpEWEO3qc+iQsgpr5Tuo27QUD77igs=
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/vps-private/keys/nebula.crt b/hosts/vps-private/keys/nebula.crt
index 84ee04a..12e3761 100644
--- a/hosts/vps-private/keys/nebula.crt
+++ b/hosts/vps-private/keys/nebula.crt
@@ -1,7 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIG/oFmAC3Zwcy1wcml2YXRloQcEBQr++gIYoxMMBnNlcnZlcgwJc3luY3RoaW5n
-hQRphR5bhgRrKH30hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIg
-xxdwQe3CJkEjhN6lB0dWCNqjNug5oIN9KQTTTCp0dguDQIfEL9VOzRXRvfIYqQIE
-N17rITJJXUIV0zV1JY/GF2xuxGYnwqRbdpbzjwWiZn3kBvj3j/q2jC9ciA3+nnoc
-iwE=
+MIGqoESAC3Zwcy1wcml2YXRloQcEBQr++gIYhQRpSG/KhgRrKH30hyAVQ/4ZW6re
+1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgxxdwQe3CJkEjhN6lB0dWCNqjNug5
+oIN9KQTTTCp0dguDQHynn1xdarsZsfvF6ZJB01HrOVgLs2kVod3ZZZD3L8Fe/hfF
+TryU5SxJ8MH6irDdtgTs+9pU+BaNWms1X4zfkAQ=
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/vps-public/keys/nebula.crt b/hosts/vps-public/keys/nebula.crt
index 4938c49..4ab0405 100644
--- a/hosts/vps-public/keys/nebula.crt
+++ b/hosts/vps-public/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGzoE2ACnZwcy1wdWJsaWOhBwQFCv76BBijCAwGc2VydmVyhQRphR5fhgRrKH30
-hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgdnIqsdm+3dZlD0Z6
-7TObDfl+D6IbW5ATTzxVA8cF+0qDQBE3+pZ54sbLravpoUt01ukqAsHAZ2kuQcrY
-DaZgtdjp1z0U7FkdqWAYlNeMVzjyXf4MQQJZH5ANu5tsofRtGw4=
+MIGpoEOACnZwcy1wdWJsaWOhBwQFCv76BBiFBGlZOWqGBGsoffSHIBVD/hlbqt7X
+LMVqDE4DhIQzJRBaXtQIwm5gRTI7c0VogiB2ciqx2b7d1mUPRnrtM5sN+X4Pohtb
+kBNPPFUDxwX7SoNAWUNPjR8iSib9C52wEmTzolYIvwbAUnOjMytH01xHUgPhiiTv
+Cm4CTtS9vWllCCH682evxo+0I3+PKDRp8DKxCQ==
 -----END NEBULA CERTIFICATE V2-----
diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index 8f15db3..231ee15 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -15,12 +15,6 @@ in
     enable = lib.mkEnableOption "" // {
       default = netCfg.overlay.implementation == "nebula";
     };
-    groups = lib.mkOption {
-      type = lib.types.nonEmptyListOf lib.types.nonEmptyStr;
-      default =
-        lib.singleton netCfg.overlay.role
-        ++ lib.optional config.custom.services.syncthing.enable "syncthing";
-    };
 
     publicKeyPath = lib.mkOption {
       type = lib.types.path;
diff --git a/modules/system/services/sshd.nix b/modules/system/services/sshd.nix
index 2996290..f37f707 100644
--- a/modules/system/services/sshd.nix
+++ b/modules/system/services/sshd.nix
@@ -28,11 +28,14 @@ in
         };
       };
 
-      nebula.networks.mesh.firewall.inbound = lib.singleton {
-        port = 22;
-        proto = "tcp";
-        group = "client";
-      };
+      nebula.networks.mesh.firewall.inbound =
+        netCfg.peers
+        |> lib.filter (node: node.overlay.role == "client")
+        |> lib.map (client: {
+          port = 22;
+          proto = "tcp";
+          host = client.hostName;
+        });
     };
 
     systemd.services.sshd = {
diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix
index c80c0e0..e4137c1 100644
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@@ -118,11 +118,14 @@ in
         };
       };
 
-      nebula.networks.mesh.firewall.inbound = lib.singleton {
-        port = cfg.syncPort;
-        proto = "tcp";
-        group = "syncthing";
-      };
+      nebula.networks.mesh.firewall.inbound =
+        config.services.syncthing.settings.devices
+        |> lib.attrNames
+        |> lib.map (name: {
+          port = cfg.syncPort;
+          proto = "tcp";
+          host = name;
+        });
     };
 
     custom = {
diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix
index 1dd03f4..bfac5c8 100644
--- a/scripts/nebula-regen-host-cert.nix
+++ b/scripts/nebula-regen-host-cert.nix
@@ -15,7 +15,6 @@ pkgs.writeShellApplication {
 
     host="$1"
     address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
-    groups="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.groups" --apply 'builtins.concatStringsSep ","')"
     ca_cert='modules/system/services/nebula/ca.crt'
     host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
     host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
@@ -36,6 +35,6 @@ pkgs.writeShellApplication {
     fi
 
     rm -f "$host_cert"
-    nebula-cert sign -name "$host" -networks "$address" -groups "$groups" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
+    nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
   '';
 }