{
  config,
  lib,
  inputs,
  ...
}:

{
  services.nebula.networks.bbs = {
    enable = lib.mkDefault config.mtxyz.platform.private;
    ca = "${inputs.self}/secrets/nebula/ca.crt";
    cert = "${inputs.self}/secrets/nebula/${config.networking.hostName}.bbs.lan.crt";
    key = "${inputs.self}/secrets/nebula/${config.networking.hostName}.bbs.lan.key";
    staticHostMap = {
      "10.7.0.1" = [ "5.161.60.61:4242" ];
    };
    lighthouses = [ "10.7.0.1" ];
    firewall = {
      outbound = [
        {
          port = "any";
          proto = "any";
          host = "any";
        }
      ];
      inbound = [
        {
          port = "any";
          proto = "icmp";
          host = "any";
        }
      ] ++ lib.optional config.services.openssh.enable {
        port = 22;
        proto = "tcp";
        group = "bailey";
      };
    };
    settings = {
      punchy = {
        punch = true;
      };
    };
  };
  networking.networkmanager.insertNameservers = lib.optional config.services.nebula.networks.bbs.enable "10.7.0.1";
}