diff --git a/hosts/desktop/keys/nebula.crt b/hosts/desktop/keys/nebula.crt
index 03613b7..862f271 100644
--- a/hosts/desktop/keys/nebula.crt
+++ b/hosts/desktop/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGmoECAB2Rlc2t0b3ChBwQFCv76ARiFBGlIaqqGBGsoffSHIBVD/hlbqt7XLMVq
-DE4DhIQzJRBaXtQIwm5gRTI7c0VogiAWuCbaQyz2y1A+OrT1+mI2U2EdQ3X3HPzA
-SkjZQ+zAG4NANTlPvjlzVHXcvSnZpWO0HVFFLlFKkPav33SUb51KaOt+HX0Xyu3r
-3EvhBuRRS6pc6x5/ZawfxWakQwb5dTuhDg==
+MIG7oFWAB2Rlc2t0b3ChBwQFCv76ARijEwwGY2xpZW50DAlzeW5jdGhpbmeFBGmF
+Hk6GBGsoffSHIBVD/hlbqt7XLMVqDE4DhIQzJRBaXtQIwm5gRTI7c0VogiAWuCba
+Qyz2y1A+OrT1+mI2U2EdQ3X3HPzASkjZQ+zAG4NAT5t62Hk0O6IlwmVM0e99G/s2
+GwO6Y2TXbl+g1T8eat4upiIftMkNdBJVgiDz7XbE4zgpfUuTv1LCzrNwipc6Cg==
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/laptop/keys/nebula.crt b/hosts/laptop/keys/nebula.crt
index b9041ae..31dfc61 100644
--- a/hosts/laptop/keys/nebula.crt
+++ b/hosts/laptop/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGloD+ABmxhcHRvcKEHBAUK/voDGIUEaUsu2oYEayh99IcgFUP+GVuq3tcsxWoM
-TgOEhDMlEFpe1AjCbmBFMjtzRWiCIDQsjID+DOXgSXkAkkIySZqpe8qDwc/RSe9/
-rUqoGr07g0DDH0+/63YpveHA2JKKvl8T5/1kPm2Tp4SKLLy6i5g01dw4QSwaRGlW
-nrPxsi9gbci2Jdw2AiOZmshHA7tJOpoL
+MIG6oFSABmxhcHRvcKEHBAUK/voDGKMTDAZjbGllbnQMCXN5bmN0aGluZ4UEaYUe
+UoYEayh99IcgFUP+GVuq3tcsxWoMTgOEhDMlEFpe1AjCbmBFMjtzRWiCIDQsjID+
+DOXgSXkAkkIySZqpe8qDwc/RSe9/rUqoGr07g0DhbaORjxVBfwI9Un1woUJPv2lA
+7/0O5G29fhEGsyR7N4e4ZFeHPTbCXQYKVJIo0B6nM12kriUCTymrtjMJjjQB
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/vps-monitor/keys/nebula.crt b/hosts/vps-monitor/keys/nebula.crt
index e57c730..f128706 100644
--- a/hosts/vps-monitor/keys/nebula.crt
+++ b/hosts/vps-monitor/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGqoESAC3Zwcy1tb25pdG9yoQcEBQr++gUYhQRpWTmKhgRrKH30hyAVQ/4ZW6re
-1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgEsH4GM7MoMHRA9Ua4racnsVImNb4
-0fhIMdlx2Y8Gx3iDQJo2nQl5Atwka8UCU3FteaMSrgSxQW6HhBE7pwYMhlWdrusn
-KUloRoe8tDpEWEO3qc+iQsgpr5Tuo27QUD77igs=
+MIG0oE6AC3Zwcy1tb25pdG9yoQcEBQr++gUYowgMBnNlcnZlcoUEaYUeVoYEayh9
+9IcgFUP+GVuq3tcsxWoMTgOEhDMlEFpe1AjCbmBFMjtzRWiCIBLB+BjOzKDB0QPV
+GuK2nJ7FSJjW+NH4SDHZcdmPBsd4g0Ctqv9hgMdJuXpKgy0HIU7eRhjMYDr22AUb
+e5nHcocsCe3mqPvHeTOPpluPeQcVXBnalFXwUHbpYmV/8pZFiNkI
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/vps-private/keys/nebula.crt b/hosts/vps-private/keys/nebula.crt
index 12e3761..84ee04a 100644
--- a/hosts/vps-private/keys/nebula.crt
+++ b/hosts/vps-private/keys/nebula.crt
@@ -1,6 +1,7 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGqoESAC3Zwcy1wcml2YXRloQcEBQr++gIYhQRpSG/KhgRrKH30hyAVQ/4ZW6re
-1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgxxdwQe3CJkEjhN6lB0dWCNqjNug5
-oIN9KQTTTCp0dguDQHynn1xdarsZsfvF6ZJB01HrOVgLs2kVod3ZZZD3L8Fe/hfF
-TryU5SxJ8MH6irDdtgTs+9pU+BaNWms1X4zfkAQ=
+MIG/oFmAC3Zwcy1wcml2YXRloQcEBQr++gIYoxMMBnNlcnZlcgwJc3luY3RoaW5n
+hQRphR5bhgRrKH30hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIg
+xxdwQe3CJkEjhN6lB0dWCNqjNug5oIN9KQTTTCp0dguDQIfEL9VOzRXRvfIYqQIE
+N17rITJJXUIV0zV1JY/GF2xuxGYnwqRbdpbzjwWiZn3kBvj3j/q2jC9ciA3+nnoc
+iwE=
 -----END NEBULA CERTIFICATE V2-----
diff --git a/hosts/vps-public/keys/nebula.crt b/hosts/vps-public/keys/nebula.crt
index 4ab0405..4938c49 100644
--- a/hosts/vps-public/keys/nebula.crt
+++ b/hosts/vps-public/keys/nebula.crt
@@ -1,6 +1,6 @@
 -----BEGIN NEBULA CERTIFICATE V2-----
-MIGpoEOACnZwcy1wdWJsaWOhBwQFCv76BBiFBGlZOWqGBGsoffSHIBVD/hlbqt7X
-LMVqDE4DhIQzJRBaXtQIwm5gRTI7c0VogiB2ciqx2b7d1mUPRnrtM5sN+X4Pohtb
-kBNPPFUDxwX7SoNAWUNPjR8iSib9C52wEmTzolYIvwbAUnOjMytH01xHUgPhiiTv
-Cm4CTtS9vWllCCH682evxo+0I3+PKDRp8DKxCQ==
+MIGzoE2ACnZwcy1wdWJsaWOhBwQFCv76BBijCAwGc2VydmVyhQRphR5fhgRrKH30
+hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIgdnIqsdm+3dZlD0Z6
+7TObDfl+D6IbW5ATTzxVA8cF+0qDQBE3+pZ54sbLravpoUt01ukqAsHAZ2kuQcrY
+DaZgtdjp1z0U7FkdqWAYlNeMVzjyXf4MQQJZH5ANu5tsofRtGw4=
 -----END NEBULA CERTIFICATE V2-----
diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index 231ee15..8f15db3 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -15,6 +15,12 @@ in
     enable = lib.mkEnableOption "" // {
       default = netCfg.overlay.implementation == "nebula";
     };
+    groups = lib.mkOption {
+      type = lib.types.nonEmptyListOf lib.types.nonEmptyStr;
+      default =
+        lib.singleton netCfg.overlay.role
+        ++ lib.optional config.custom.services.syncthing.enable "syncthing";
+    };
 
     publicKeyPath = lib.mkOption {
       type = lib.types.path;
diff --git a/modules/system/services/sshd.nix b/modules/system/services/sshd.nix
index f37f707..2996290 100644
--- a/modules/system/services/sshd.nix
+++ b/modules/system/services/sshd.nix
@@ -28,14 +28,11 @@ in
         };
       };
 
-      nebula.networks.mesh.firewall.inbound =
-        netCfg.peers
-        |> lib.filter (node: node.overlay.role == "client")
-        |> lib.map (client: {
-          port = 22;
-          proto = "tcp";
-          host = client.hostName;
-        });
+      nebula.networks.mesh.firewall.inbound = lib.singleton {
+        port = 22;
+        proto = "tcp";
+        group = "client";
+      };
     };
 
     systemd.services.sshd = {
diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix
index e4137c1..c80c0e0 100644
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@@ -118,14 +118,11 @@ in
         };
       };
 
-      nebula.networks.mesh.firewall.inbound =
-        config.services.syncthing.settings.devices
-        |> lib.attrNames
-        |> lib.map (name: {
-          port = cfg.syncPort;
-          proto = "tcp";
-          host = name;
-        });
+      nebula.networks.mesh.firewall.inbound = lib.singleton {
+        port = cfg.syncPort;
+        proto = "tcp";
+        group = "syncthing";
+      };
     };
 
     custom = {
diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix
index bfac5c8..1dd03f4 100644
--- a/scripts/nebula-regen-host-cert.nix
+++ b/scripts/nebula-regen-host-cert.nix
@@ -15,6 +15,7 @@ pkgs.writeShellApplication {
 
     host="$1"
     address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
+    groups="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.groups" --apply 'builtins.concatStringsSep ","')"
     ca_cert='modules/system/services/nebula/ca.crt'
     host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
     host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
@@ -35,6 +36,6 @@ pkgs.writeShellApplication {
     fi
 
     rm -f "$host_cert"
-    nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
+    nebula-cert sign -name "$host" -networks "$address" -groups "$groups" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
   '';
 }