diff --git a/flake-parts/scripts.nix b/flake-parts/scripts.nix
index 37d9ead..7308cc4 100644
--- a/flake-parts/scripts.nix
+++ b/flake-parts/scripts.nix
@@ -7,19 +7,19 @@
       lib,
       ...
     }:
-    let
-      mkScript = file: rec {
-        name =
-          file
-          |> lib.unsafeDiscardStringContext
-          |> lib.removePrefix "${self}/scripts/"
-          |> lib.removeSuffix ".nix"
-          |> lib.replaceString "/" "-";
-        value = pkgs.writeShellApplication ({ inherit name; } // import file { inherit self' pkgs lib; });
-      };
-    in
     {
       packages =
-        "${self}/scripts" |> lib.filesystem.listFilesRecursive |> lib.map mkScript |> lib.listToAttrs;
+        "${self}/scripts"
+        |> lib.filesystem.listFilesRecursive
+        |> lib.map (file: {
+          name =
+            file
+            |> lib.unsafeDiscardStringContext
+            |> lib.removePrefix "${self}/scripts/"
+            |> lib.removeSuffix ".nix"
+            |> lib.replaceString "/" "-";
+          value = import file { inherit self' pkgs lib; };
+        })
+        |> lib.listToAttrs;
     };
 }
diff --git a/flake-parts/tests.nix b/flake-parts/tests.nix
index a460fb4..221d65b 100644
--- a/flake-parts/tests.nix
+++ b/flake-parts/tests.nix
@@ -2,25 +2,27 @@
 {
   perSystem =
     { pkgs, lib, ... }:
-    let
-      mkTest = dir: rec {
-        name = "${dir}-test";
-        value = pkgs.testers.runNixOSTest (
-          {
-            inherit name;
-          }
-          // import "${self}/tests/${dir}" {
-            inherit
-              inputs
-              self
-              pkgs
-              lib
-              ;
-          }
-        );
-      };
-    in
     {
-      checks = "${self}/tests" |> builtins.readDir |> lib.attrNames |> lib.map mkTest |> lib.listToAttrs;
+      checks =
+        "${self}/tests"
+        |> builtins.readDir
+        |> lib.attrNames
+        |> lib.map (name: {
+          name = "${name}-test";
+          value = pkgs.testers.runNixOSTest (
+            {
+              name = "${name}-test";
+            }
+            // import "${self}/tests/${name}" {
+              inherit
+                inputs
+                self
+                pkgs
+                lib
+                ;
+            }
+          );
+        })
+        |> lib.listToAttrs;
     };
 }
diff --git a/flake.nix b/flake.nix
index e4dad29..67951df 100644
--- a/flake.nix
+++ b/flake.nix
@@ -70,6 +70,6 @@
         ./flake-parts
         |> builtins.readDir
         |> builtins.attrNames
-        |> builtins.map (name: ./flake-parts/${name});
+        |> builtins.map (name: ./flake-parts + "/${name}");
     };
 }
diff --git a/modules/system/networking/overlay.nix b/modules/system/networking/overlay.nix
index 7894900..243e558 100644
--- a/modules/system/networking/overlay.nix
+++ b/modules/system/networking/overlay.nix
@@ -11,7 +11,7 @@ in
   options.custom.networking.overlay = {
     networkCidr = lib.mkOption {
       type = lib.types.nonEmptyStr;
-      default = "10.254.250.0/24";
+      default = "";
     };
     networkAddress = lib.mkOption {
       type = lib.types.nonEmptyStr;
@@ -25,7 +25,7 @@ in
     };
     domain = lib.mkOption {
       type = lib.types.nonEmptyStr;
-      default = "splitleaf.de";
+      default = "";
     };
     fqdn = lib.mkOption {
       type = lib.types.nonEmptyStr;
@@ -43,11 +43,11 @@ in
     };
     interface = lib.mkOption {
       type = lib.types.nonEmptyStr;
-      default = "nebula";
+      default = "";
     };
     systemdUnit = lib.mkOption {
       type = lib.types.nonEmptyStr;
-      default = "nebula@mesh.service";
+      default = "";
     };
 
     isLighthouse = lib.mkEnableOption "";
diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix
index 27956ee..d34e286 100644
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@@ -51,6 +51,13 @@ in
       message = "`${netCfg.hostName}` is a Nebula lighthouse, but `underlay.isPublic` is not set. Lighthouses must be publicly reachable.";
     };
 
+    custom.networking.overlay = {
+      networkCidr = "10.254.250.0/24";
+      domain = "splitleaf.de";
+      interface = "nebula";
+      systemdUnit = "nebula@mesh.service";
+    };
+
     sops.secrets."nebula/host-key" = lib.mkIf (cfg.privateKeyPath == null) {
       owner = config.users.users.nebula-mesh.name;
       restartUnits = [ "nebula@mesh.service" ];
diff --git a/scripts/install-anywhere.nix b/scripts/install-anywhere.nix
index 5fbd3b0..17e5c0b 100644
--- a/scripts/install-anywhere.nix
+++ b/scripts/install-anywhere.nix
@@ -1,5 +1,7 @@
 { pkgs, ... }:
-{
+pkgs.writeShellApplication {
+  name = "install-anywhere";
+
   runtimeInputs = [
     pkgs.sops
     pkgs.ssh-to-age
diff --git a/scripts/nebula/recert-all-hosts.nix b/scripts/nebula/recert-all-hosts.nix
index e70c09b..f7526b6 100644
--- a/scripts/nebula/recert-all-hosts.nix
+++ b/scripts/nebula/recert-all-hosts.nix
@@ -1,5 +1,7 @@
 { self', pkgs, ... }:
-{
+pkgs.writeShellApplication {
+  name = "nebula-recert-all-hosts";
+
   runtimeInputs = [
     pkgs.bitwarden-cli
     pkgs.jq
diff --git a/scripts/nebula/recert-host.nix b/scripts/nebula/recert-host.nix
index 50cf6f3..1aff425 100644
--- a/scripts/nebula/recert-host.nix
+++ b/scripts/nebula/recert-host.nix
@@ -1,5 +1,7 @@
 { pkgs, ... }:
-{
+pkgs.writeShellApplication {
+  name = "nebula-recert-host";
+
   runtimeInputs = [
     pkgs.nebula
     pkgs.bitwarden-cli