diff --git a/modules/system/networking.nix b/modules/system/networking.nix
index bf52aec..2284e56 100644
--- a/modules/system/networking.nix
+++ b/modules/system/networking.nix
@@ -21,18 +21,15 @@ in
     overlay = {
       networkAddress = lib.mkOption {
         type = lib.types.nonEmptyStr;
-        default = "10.254.250.0";
-        readOnly = true;
+        default = "";
       };
       prefixLength = lib.mkOption {
-        type = lib.types.ints.between 0 32;
-        default = 24;
-        readOnly = true;
+        type = lib.types.nullOr (lib.types.ints.between 0 32);
+        default = null;
       };
       domain = lib.mkOption {
         type = lib.types.nonEmptyStr;
-        default = "splitleaf.de";
-        readOnly = true;
+        default = "";
       };
 
       address = lib.mkOption {
@@ -41,11 +38,11 @@ in
       };
       interface = lib.mkOption {
         type = lib.types.nonEmptyStr;
-        default = "nebula";
+        default = "";
       };
       systemdUnit = lib.mkOption {
         type = lib.types.nonEmptyStr;
-        default = "nebula@mesh.service";
+        default = "";
       };
 
       dnsServers = lib.mkOption {
diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index 330c6a3..423f5f6 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -30,6 +30,14 @@ in
       message = "'${netCfg.hostname}' is a Nebula lighthouse, but underlay.isPublic is not set. Lighthouses must be publicly reachable.";
     };
 
+    custom.networking.overlay = {
+      networkAddress = "10.254.250.0";
+      prefixLength = 24;
+      domain = "splitleaf.de";
+      interface = "nebula";
+      systemdUnit = "nebula@mesh.service";
+    };
+
     meta.ports.udp = lib.optional netCfg.underlay.isPublic publicPort;
 
     sops.secrets."nebula/host-key" = {