From 2aba83de58982d9fdb08fed66857fc96eaf894bd Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Mon, 2 Mar 2026 16:54:07 +0100
Subject: [PATCH] nameservers: Specify ports

---
 modules/nixos/networking/overlay.nix           |  5 ++++-
 modules/nixos/services/nameservers/private.nix | 12 +++++++++---
 modules/nixos/services/nameservers/public.nix  | 16 ++++++++++------
 3 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/modules/nixos/networking/overlay.nix b/modules/nixos/networking/overlay.nix
index 3783352..86c891e 100644
--- a/modules/nixos/networking/overlay.nix
+++ b/modules/nixos/networking/overlay.nix
@@ -64,7 +64,10 @@ in
         allHosts
         |> lib.attrValues
         |> lib.filter (host: host.config.custom.services.private-nameserver.enable)
-        |> lib.map (host: host.config.custom.networking.overlay.address);
+        |> lib.map (
+          host:
+          "${host.config.custom.networking.overlay.address}:${toString host.config.custom.services.private-nameserver.port}"
+        );
     };
 
     implementation = lib.mkOption {
diff --git a/modules/nixos/services/nameservers/private.nix b/modules/nixos/services/nameservers/private.nix
index b19982e..e790be2 100644
--- a/modules/nixos/services/nameservers/private.nix
+++ b/modules/nixos/services/nameservers/private.nix
@@ -58,18 +58,24 @@ let
   };
 in
 {
-  options.custom.services.private-nameserver.enable = lib.mkEnableOption "";
+  options.custom.services.private-nameserver = {
+    enable = lib.mkEnableOption "";
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 5335;
+    };
+  };
 
   config = lib.mkIf cfg.enable {
     services = {
       nsd = {
         enable = true;
-        interfaces = [ netCfg.overlay.interface ];
+        interfaces = [ "${netCfg.overlay.address}@${toString cfg.port}" ];
         zones.${netCfg.overlay.domain}.data = zoneData;
       };
 
       nebula.networks.mesh.firewall.inbound = lib.singleton {
-        port = 53;
+        inherit (cfg) port;
         proto = "any";
         host = "any";
       };
diff --git a/modules/nixos/services/nameservers/public.nix b/modules/nixos/services/nameservers/public.nix
index 79dbd6d..702c4e4 100644
--- a/modules/nixos/services/nameservers/public.nix
+++ b/modules/nixos/services/nameservers/public.nix
@@ -66,6 +66,10 @@ in
 {
   options.custom.services.public-nameserver = {
     enable = lib.mkEnableOption "";
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 53;
+    };
     zones = lib.mkOption {
       type = lib.types.nonEmptyListOf lib.types.nonEmptyStr;
       default = [ ];
@@ -73,14 +77,9 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    networking.firewall = {
-      allowedTCPPorts = [ 53 ];
-      allowedUDPPorts = [ 53 ];
-    };
-
     services.nsd = {
       enable = true;
-      interfaces = [ netCfg.underlay.interface ];
+      interfaces = [ "${netCfg.underlay.address}@${toString cfg.port}" ];
       zones =
         cfg.zones
         |> lib.map (zone: {
@@ -89,5 +88,10 @@ in
         })
         |> lib.listToAttrs;
     };
+
+    networking.firewall = {
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
   };
 }