diff --git a/flake.lock b/flake.lock
index 8bef5bf..b92fc21 100644
--- a/flake.lock
+++ b/flake.lock
@@ -16,22 +16,6 @@
         "type": "github"
       }
     },
-    "blocklist": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1773514984,
-        "narHash": "sha256-c6qB3i3wetKEp/uD+dR51v9Izbshhy+ECqi2K+1HSoc=",
-        "owner": "StevenBlack",
-        "repo": "hosts",
-        "rev": "24b12bd67d953a1afbfed3ae85c080b033b47c36",
-        "type": "github"
-      },
-      "original": {
-        "owner": "StevenBlack",
-        "repo": "hosts",
-        "type": "github"
-      }
-    },
     "comin": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -369,7 +353,6 @@
     "root": {
       "inputs": {
         "betterfox": "betterfox",
-        "blocklist": "blocklist",
         "comin": "comin",
         "disko": "disko",
         "dns": "dns",
diff --git a/flake.nix b/flake.nix
index c7a0fd7..c49c660 100644
--- a/flake.nix
+++ b/flake.nix
@@ -80,11 +80,6 @@
       url = "github:iBigQ/radicale-birthday-calendar";
       flake = false;
     };
-
-    blocklist = {
-      url = "github:StevenBlack/hosts";
-      flake = false;
-    };
   };
 
   outputs =
diff --git a/modules/nixos/networking/default.nix b/modules/nixos/networking/default.nix
index 653e790..b3e2c4f 100644
--- a/modules/nixos/networking/default.nix
+++ b/modules/nixos/networking/default.nix
@@ -1,40 +1,9 @@
+{ config, lib, ... }:
 {
-  config,
-  lib,
-  allHosts,
-  ...
-}:
-let
-  cfg = config.custom.networking;
-in
-{
-  options.custom.networking = {
-    hostName = lib.mkOption {
-      type = lib.types.nonEmptyStr;
-      default = config.networking.hostName;
-      readOnly = true;
-    };
-
-    nodes = lib.mkOption {
-      type = lib.types.listOf lib.types.attrs;
-      default =
-        allHosts
-        |> lib.attrValues
-        |> lib.map (host: host.config.custom.networking)
-        |> lib.map (
-          node:
-          lib.removeAttrs node [
-            "nodes"
-            "peers"
-          ]
-        );
-      readOnly = true;
-    };
-    peers = lib.mkOption {
-      type = lib.types.listOf lib.types.attrs;
-      default = cfg.nodes |> lib.filter (node: node.hostName != cfg.hostName);
-      readOnly = true;
-    };
+  options.custom.networking.hostName = lib.mkOption {
+    type = lib.types.nonEmptyStr;
+    default = config.networking.hostName;
+    readOnly = true;
   };
 
   config = {
diff --git a/modules/nixos/services/nameservers/private.nix b/modules/nixos/services/nameservers/private.nix
index e790be2..85c8d3f 100644
--- a/modules/nixos/services/nameservers/private.nix
+++ b/modules/nixos/services/nameservers/private.nix
@@ -33,7 +33,9 @@ let
           };
 
         nodeRecords =
-          netCfg.nodes
+          allHosts
+          |> lib.attrValues
+          |> lib.map (host: host.config.custom.networking)
           |> lib.map (node: {
             name = node.hostName;
             inherit (node.overlay) address;
diff --git a/modules/nixos/services/nebula/default.nix b/modules/nixos/services/nebula/default.nix
index 7b96f61..41d2bc4 100644
--- a/modules/nixos/services/nebula/default.nix
+++ b/modules/nixos/services/nebula/default.nix
@@ -10,7 +10,10 @@ let
   netCfg = config.custom.networking;
 
   lighthouses =
-    netCfg.peers
+    allHosts
+    |> lib.attrValues
+    |> lib.map (host: host.config.custom.networking)
+    |> lib.filter (node: node.hostName != netCfg.hostName)
     |> lib.filter (peer: peer.overlay.isLighthouse)
     |> lib.map (lighthouse: lighthouse.overlay.address);
 in
diff --git a/modules/nixos/web-services/scrutiny.nix b/modules/nixos/web-services/scrutiny.nix
index e0be952..0789008 100644
--- a/modules/nixos/web-services/scrutiny.nix
+++ b/modules/nixos/web-services/scrutiny.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  self,
+  lib,
+  ...
+}:
 let
   cfg = config.custom.web-services.scrutiny;
 in
@@ -16,6 +21,11 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    assertions = lib.singleton {
+      assertion = self.lib.isPrivateDomain cfg.domain;
+      message = self.lib.mkUnprotectedMessage "Scrutiny";
+    };
+
     services.scrutiny = {
       enable = true;
       settings.web.listen = {
diff --git a/modules/nixos/web-services/searxng.nix b/modules/nixos/web-services/searxng.nix
index ff83745..c79ab0d 100644
--- a/modules/nixos/web-services/searxng.nix
+++ b/modules/nixos/web-services/searxng.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  self,
+  lib,
+  ...
+}:
 let
   cfg = config.custom.web-services.searxng;
 in
@@ -16,6 +21,11 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    assertions = lib.singleton {
+      assertion = self.lib.isPrivateDomain cfg.domain;
+      message = self.lib.mkUnprotectedMessage "SearXNG";
+    };
+
     services.searx = {
       enable = true;
       settings = {