From cb8d793df3babd7df787174c6e7a5068b91c576d Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Mon, 2 Mar 2026 01:20:24 +0100
Subject: [PATCH] nebula: Only route traffic from the overlay domain over the
 interface

---
 modules/nixos/services/nebula/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/nixos/services/nebula/default.nix b/modules/nixos/services/nebula/default.nix
index 45e2a7c..a681c93 100644
--- a/modules/nixos/services/nebula/default.nix
+++ b/modules/nixos/services/nebula/default.nix
@@ -132,7 +132,10 @@ in
         matchConfig.Name = netCfg.overlay.interface;
         address = [ netCfg.overlay.cidr ];
         dns = netCfg.overlay.dnsServers;
-        domains = [ netCfg.overlay.domain ];
+        domains = [
+          "~${netCfg.overlay.domain}"
+          netCfg.overlay.domain
+        ];
         networkConfig.DNSSEC = false;
       };
     };