diff --git a/configuration.nix b/configuration.nix
index 3b9f270..020d566 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -155,13 +155,32 @@
       };
     };*/
 
-  /*services.tinc.networks = {
-    beatific = {
-      name = "catacomb";
-      listenAddress = "0.0.0.0";
-      chroot = false;
+  services.nebula.networks.beatific = {
+    enable = true;
+
+    # Network certificate and host credentials
+    ca = "/etc/nebula/beatific/beatific.crt";
+    cert = "/etc/nebula/beatific/catacomb.crt";
+    key = "/etc/nebula/beatific/catacomb.key";
+
+    listen.port = 4242;
+
+    # Connect to the lighthouse at empyrean
+    # Note that this is a VPN address, not a public address
+    lighthouses = [ "10.22.20.1" ];
+
+    # Map the lighthouse address to its public address
+    staticHostMap = { "10.22.20.1" = [ "vpn.alogoulogoi.com:4242" ]; };
+
+    # Don't filter anything at the VPN level
+    firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
+    firewall.inbound  = [ { port = "any"; proto = "any"; host = "any"; } ];
+
+    settings = {
+      # Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
+      punchy = { punch = true; response = true; };
     };
-  };*/
+  };
 
   services.zfs = {
     autoScrub = {