diff --git a/ansible/group_vars/all/nebula.yml b/ansible/group_vars/all/nebula.yml
new file mode 100644
index 0000000..6d68e39
--- /dev/null
+++ b/ansible/group_vars/all/nebula.yml
@@ -0,0 +1,5 @@
+nebula:
+  subnet: 10.23.2.0/24
+  clients:
+    casey:
+      ip: 10.23.2.1
diff --git a/ansible/host_vars/casey.yml b/ansible/host_vars/casey.yml
new file mode 100644
index 0000000..5416696
--- /dev/null
+++ b/ansible/host_vars/casey.yml
@@ -0,0 +1 @@
+nebula_is_lighthouse: true
diff --git a/ansible/main.yml b/ansible/main.yml
index 4081073..c1f0529 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -12,6 +12,7 @@
 - hosts: casey
   roles:
     - gateway
+    - nebula
 
 - hosts:
     - walker
diff --git a/ansible/roles/nebula/defaults/main.yml b/ansible/roles/nebula/defaults/main.yml
new file mode 100644
index 0000000..7c5e620
--- /dev/null
+++ b/ansible/roles/nebula/defaults/main.yml
@@ -0,0 +1 @@
+nebula_is_lighthouse: false
diff --git a/ansible/roles/nebula/files/nebula.yml b/ansible/roles/nebula/files/nebula.yml
new file mode 100644
index 0000000..eeff9b8
--- /dev/null
+++ b/ansible/roles/nebula/files/nebula.yml
@@ -0,0 +1,55 @@
+pki:
+  ca: /etc/nebula/ca.crt
+  cert: /etc/nebula/host.crt
+  key: /etc/nebula/host.key
+
+static_host_map:
+  "{{ nebula_lighthouse_ip }}": ["{{ nebula_lighthouse_public_ip }}:{{ nebula_lighthouse_port }}"]
+
+
+lighthouse:
+  am_lighthouse: "{{ nebula_is_lighthouse | lower }}"
+  interval: 60
+  hosts:
+    {% if not nebula_is_lighthouse %}
+    - "{{ nebula_lighthouse_ip }}"
+    {% endif %}
+
+listen:
+  host: 0.0.0.0
+  port: "{{ nebula_is_lighthouse | ternary(nebula_lighthouse_port, 0) }}"
+
+punchy:
+  punch: true
+
+tun:
+  disabled: false
+  dev: nebula1
+  drop_local_broadcast: false
+  drop_multicast: false
+  tx_queue: 500
+  mtu: 1300
+  routes:
+  unsafe_routes:
+
+
+logging:
+  level: info
+  format: text
+
+firewall:
+  conntrack:
+    tcp_timeout: 12m
+    udp_timeout: 3m
+    default_timeout: 10m
+    max_connections: 100000
+
+  outbound:
+    - port: any
+      proto: any
+      host: any
+
+  inbound:
+    - port: any
+      proto: any
+      host: any
diff --git a/ansible/roles/nebula/tasks/main.yml b/ansible/roles/nebula/tasks/main.yml
new file mode 100644
index 0000000..6206a6c
--- /dev/null
+++ b/ansible/roles/nebula/tasks/main.yml
@@ -0,0 +1,19 @@
+- name: Install Nebula
+  package:
+    name: nebula
+  when: ansible_os_family == 'Archlinux'
+  become: true
+
+- name: Create nebula directory
+  file:
+    path: /etc/nebula
+    state: directory
+    mode: "0700"
+  become: true
+
+- name: Install nebula config
+  template:
+    src: files/nebula.yml
+    dest: /etc/nebula/config.yml
+    mode: "0600"
+  become: true
diff --git a/ansible/roles/nebula/vars/main.yml b/ansible/roles/nebula/vars/main.yml
new file mode 100644
index 0000000..bb08500
--- /dev/null
+++ b/ansible/roles/nebula/vars/main.yml
@@ -0,0 +1,3 @@
+nebula_lighthouse_public_ip: "{{ hosts.casey_ip }}"
+nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}"
+nebula_lighthouse_port: 6328
diff --git a/ansible/yamllint.yml b/ansible/yamllint.yml
index 24ad3bb..123d4b1 100644
--- a/ansible/yamllint.yml
+++ b/ansible/yamllint.yml
@@ -4,6 +4,7 @@ ignore: |
   ansible/galaxy_roles
   ansible/group_vars/all/hosts.yml
   ansible/roles/traefik/files/traefik.yml
+  ansible/roles/nebula/files/nebula.yml
 
 rules:
   document-start: disable
diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf
index 7794fff..255f33a 100644
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@@ -57,3 +57,10 @@ resource "vultr_firewall_rule" "casey_mc" {
   from_port         = 25566
   network           = "0.0.0.0/0"
 }
+
+resource "vultr_firewall_rule" "casey_nebula" {
+  firewall_group_id = vultr_firewall_group.casey.id
+  protocol          = "tcp"
+  from_port         = 6328
+  network           = "0.0.0.0/0"
+}