{
  config,
  lib,
  namespace,
  pkgs,
  ...
}:
with lib;
let
  name = "nebula";

  ca = config.sops.secrets."jallen-nas/nebula/ca-cert".path;
  cert = config.sops.secrets."jallen-nas/nebula/nas-cert".path;
  key = config.sops.secrets."jallen-nas/nebula/nas-key".path;

  nebulaConfig = lib.${namespace}.mkModule {
    inherit config name;
    description = "nebula";
    options = { };
    moduleConfig = {
      environment.systemPackages = with pkgs; [ nebula ];
      services.nebula.networks = {
        jallen-nebula = {
          enable = true;
          enableReload = true;
          isLighthouse = false;
          isRelay = false;
          ca = ca;
          cert = cert;
          key = key;
          lighthouses = [
            "10.1.1.1"
          ];
          staticHostMap = {
            "10.1.1.1" = [
              "mjallen.dev:4242"
            ];
          };
          settings = {
            firewall = {
              outbound = [
                {
                  # Allow all outbound traffic from this node
                  port = "any";
                  proto = "any";
                  host = "any";
                }
              ];
              inbound = [
                {
                  # Allow all outbound traffic from this node
                  port = "any";
                  proto = "any";
                  host = "any";
                }
              ];
            };
          };
        };
      };
    };
  };
in
{
  imports = [
    nebulaConfig
    ./sops.nix
  ];
}