diff --git a/flake.lock b/flake.lock
index b92fc21..8bef5bf 100644
--- a/flake.lock
+++ b/flake.lock
@@ -16,6 +16,22 @@
         "type": "github"
       }
     },
+    "blocklist": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1773514984,
+        "narHash": "sha256-c6qB3i3wetKEp/uD+dR51v9Izbshhy+ECqi2K+1HSoc=",
+        "owner": "StevenBlack",
+        "repo": "hosts",
+        "rev": "24b12bd67d953a1afbfed3ae85c080b033b47c36",
+        "type": "github"
+      },
+      "original": {
+        "owner": "StevenBlack",
+        "repo": "hosts",
+        "type": "github"
+      }
+    },
     "comin": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -353,6 +369,7 @@
     "root": {
       "inputs": {
         "betterfox": "betterfox",
+        "blocklist": "blocklist",
         "comin": "comin",
         "disko": "disko",
         "dns": "dns",
diff --git a/flake.nix b/flake.nix
index c49c660..c7a0fd7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -80,6 +80,11 @@
       url = "github:iBigQ/radicale-birthday-calendar";
       flake = false;
     };
+
+    blocklist = {
+      url = "github:StevenBlack/hosts";
+      flake = false;
+    };
   };
 
   outputs =
diff --git a/modules/nixos/networking/default.nix b/modules/nixos/networking/default.nix
index b3e2c4f..653e790 100644
--- a/modules/nixos/networking/default.nix
+++ b/modules/nixos/networking/default.nix
@@ -1,9 +1,40 @@
-{ config, lib, ... }:
 {
-  options.custom.networking.hostName = lib.mkOption {
-    type = lib.types.nonEmptyStr;
-    default = config.networking.hostName;
-    readOnly = true;
+  config,
+  lib,
+  allHosts,
+  ...
+}:
+let
+  cfg = config.custom.networking;
+in
+{
+  options.custom.networking = {
+    hostName = lib.mkOption {
+      type = lib.types.nonEmptyStr;
+      default = config.networking.hostName;
+      readOnly = true;
+    };
+
+    nodes = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
+      default =
+        allHosts
+        |> lib.attrValues
+        |> lib.map (host: host.config.custom.networking)
+        |> lib.map (
+          node:
+          lib.removeAttrs node [
+            "nodes"
+            "peers"
+          ]
+        );
+      readOnly = true;
+    };
+    peers = lib.mkOption {
+      type = lib.types.listOf lib.types.attrs;
+      default = cfg.nodes |> lib.filter (node: node.hostName != cfg.hostName);
+      readOnly = true;
+    };
   };
 
   config = {
diff --git a/modules/nixos/services/nameservers/private.nix b/modules/nixos/services/nameservers/private.nix
index 85c8d3f..e790be2 100644
--- a/modules/nixos/services/nameservers/private.nix
+++ b/modules/nixos/services/nameservers/private.nix
@@ -33,9 +33,7 @@ let
           };
 
         nodeRecords =
-          allHosts
-          |> lib.attrValues
-          |> lib.map (host: host.config.custom.networking)
+          netCfg.nodes
           |> lib.map (node: {
             name = node.hostName;
             inherit (node.overlay) address;
diff --git a/modules/nixos/services/nebula/default.nix b/modules/nixos/services/nebula/default.nix
index 41d2bc4..7b96f61 100644
--- a/modules/nixos/services/nebula/default.nix
+++ b/modules/nixos/services/nebula/default.nix
@@ -10,10 +10,7 @@ let
   netCfg = config.custom.networking;
 
   lighthouses =
-    allHosts
-    |> lib.attrValues
-    |> lib.map (host: host.config.custom.networking)
-    |> lib.filter (node: node.hostName != netCfg.hostName)
+    netCfg.peers
     |> lib.filter (peer: peer.overlay.isLighthouse)
     |> lib.map (lighthouse: lighthouse.overlay.address);
 in
diff --git a/modules/nixos/web-services/scrutiny.nix b/modules/nixos/web-services/scrutiny.nix
index 0789008..e0be952 100644
--- a/modules/nixos/web-services/scrutiny.nix
+++ b/modules/nixos/web-services/scrutiny.nix
@@ -1,9 +1,4 @@
-{
-  config,
-  self,
-  lib,
-  ...
-}:
+{ config, lib, ... }:
 let
   cfg = config.custom.web-services.scrutiny;
 in
@@ -21,11 +16,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    assertions = lib.singleton {
-      assertion = self.lib.isPrivateDomain cfg.domain;
-      message = self.lib.mkUnprotectedMessage "Scrutiny";
-    };
-
     services.scrutiny = {
       enable = true;
       settings.web.listen = {
diff --git a/modules/nixos/web-services/searxng.nix b/modules/nixos/web-services/searxng.nix
index c79ab0d..ff83745 100644
--- a/modules/nixos/web-services/searxng.nix
+++ b/modules/nixos/web-services/searxng.nix
@@ -1,9 +1,4 @@
-{
-  config,
-  self,
-  lib,
-  ...
-}:
+{ config, lib, ... }:
 let
   cfg = config.custom.web-services.searxng;
 in
@@ -21,11 +16,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    assertions = lib.singleton {
-      assertion = self.lib.isPrivateDomain cfg.domain;
-      message = self.lib.mkUnprotectedMessage "SearXNG";
-    };
-
     services.searx = {
       enable = true;
       settings = {