From 4721da9b3a9793515b1995b6a3ab21970c85f545 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Tue, 3 Mar 2026 14:43:20 +0100
Subject: [PATCH 1/3] nebula: Don't override dnssec configuration

---
 modules/nixos/services/nebula/default.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/nixos/services/nebula/default.nix b/modules/nixos/services/nebula/default.nix
index 45e2a7c..2fa908f 100644
--- a/modules/nixos/services/nebula/default.nix
+++ b/modules/nixos/services/nebula/default.nix
@@ -133,7 +133,6 @@ in
         address = [ netCfg.overlay.cidr ];
         dns = netCfg.overlay.dnsServers;
         domains = [ netCfg.overlay.domain ];
-        networkConfig.DNSSEC = false;
       };
     };
   };

From 5fd78c276b577b879a98109eab67f3428e9ce8c3 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Tue, 3 Mar 2026 14:44:53 +0100
Subject: [PATCH 2/3] underlay: Remove underlay dns servers

---
 modules/nixos/networking/underlay.nix | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/modules/nixos/networking/underlay.nix b/modules/nixos/networking/underlay.nix
index 1c928ae..20f9efa 100644
--- a/modules/nixos/networking/underlay.nix
+++ b/modules/nixos/networking/underlay.nix
@@ -56,11 +56,6 @@ in
             Gateway = cfg.gateway;
             GatewayOnLink = true;
           };
-          dns = lib.mkIf (!cfg.useDhcp) [
-            "1.1.1.1#cloudflare-dns.com"
-            "8.8.8.8#dns.google"
-            "9.9.9.9#dns.quad9.net"
-          ];
         };
       };
 

From e728fe43bbafec045abbbbdf0608814037e36ec0 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Tue, 3 Mar 2026 15:22:57 +0100
Subject: [PATCH 3/3] nameservers/recursive: Prefetch to keep cache up to date

---
 modules/nixos/services/nameservers/recursive.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/nixos/services/nameservers/recursive.nix b/modules/nixos/services/nameservers/recursive.nix
index dd807a0..914e12b 100644
--- a/modules/nixos/services/nameservers/recursive.nix
+++ b/modules/nixos/services/nameservers/recursive.nix
@@ -31,6 +31,7 @@ in
             settings.server = {
               interface = [ "${netCfg.overlay.address}@${toString cfg.port}" ];
               access-control = [ "${toString netCfg.overlay.networkCidr} allow" ];
+              prefetch = true;
             };
           };