diff --git a/configuration.nix b/configuration.nix
index afd0e9e..232b1ce 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -102,6 +102,31 @@
     chroot = false;
   };
 
+  services.nebula.networks.beatific = {
+    enable = true;
+
+    # Network certificate and host credentials
+    ca = "/etc/nebula/beatific/ca.crt";
+    cert = "/etc/nebula/beatific/empyrean.crt";
+    key = "/etc/nebula/beatific/empyrean.key";
+
+    # This host has a well-known IP at prgmr, so it can function as a lighthouse/entry node
+    isLighthouse = true;
+
+    # Listen to connection requests from the public Internet
+    listen.port = 4242;
+    listen.host = "vpn.alogoulogoi.com";
+
+    # Don't filter anything at the VPN level.
+    firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
+    firewall.inbound  = [ { port = "any"; proto = "any"; host = "any"; } ];
+
+    settings = {
+      # Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
+      punchy = { punch = true; response = true; };
+    };
+  };
+
   networking.firewall = {
     enable = true;
     allowPing = true;