From c2c6b634279a8b18230bce3feaee99de5eae7dca Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Sun, 1 Mar 2026 23:51:18 +0100
Subject: [PATCH 1/8] networking/overlay: Disable dnssec

---
 modules/nixos/services/nebula/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/nixos/services/nebula/default.nix b/modules/nixos/services/nebula/default.nix
index 2fa908f..45e2a7c 100644
--- a/modules/nixos/services/nebula/default.nix
+++ b/modules/nixos/services/nebula/default.nix
@@ -133,6 +133,7 @@ in
         address = [ netCfg.overlay.cidr ];
         dns = netCfg.overlay.dnsServers;
         domains = [ netCfg.overlay.domain ];
+        networkConfig.DNSSEC = false;
       };
     };
   };

From 6cb7a548ea06b0ce435590cb137a0f30b47bc73e Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Sun, 1 Mar 2026 23:55:12 +0100
Subject: [PATCH 2/8] networking/underlay: Set some nameservers explicitly when
 not using dhcp

---
 modules/nixos/networking/underlay.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/nixos/networking/underlay.nix b/modules/nixos/networking/underlay.nix
index 20f9efa..1c928ae 100644
--- a/modules/nixos/networking/underlay.nix
+++ b/modules/nixos/networking/underlay.nix
@@ -56,6 +56,11 @@ in
             Gateway = cfg.gateway;
             GatewayOnLink = true;
           };
+          dns = lib.mkIf (!cfg.useDhcp) [
+            "1.1.1.1#cloudflare-dns.com"
+            "8.8.8.8#dns.google"
+            "9.9.9.9#dns.quad9.net"
+          ];
         };
       };
 

From 399cbee22a62ebf592e327d3023e93becab48540 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Mon, 2 Mar 2026 00:08:01 +0100
Subject: [PATCH 3/8] nameservers/public: Open port 53

---
 modules/nixos/services/nameservers/public.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/nixos/services/nameservers/public.nix b/modules/nixos/services/nameservers/public.nix
index 0841d75..2718038 100644
--- a/modules/nixos/services/nameservers/public.nix
+++ b/modules/nixos/services/nameservers/public.nix
@@ -73,6 +73,11 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    networking.firewall = {
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 ];
+    };
+
     services.nsd = {
       enable = true;
       interfaces = [ netCfg.underlay.interface ];

From cb8d793df3babd7df787174c6e7a5068b91c576d Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Mon, 2 Mar 2026 01:20:24 +0100
Subject: [PATCH 4/8] nebula: Only route traffic from the overlay domain over
 the interface

---
 modules/nixos/services/nebula/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/nixos/services/nebula/default.nix b/modules/nixos/services/nebula/default.nix
index 45e2a7c..a681c93 100644
--- a/modules/nixos/services/nebula/default.nix
+++ b/modules/nixos/services/nebula/default.nix
@@ -132,7 +132,10 @@ in
         matchConfig.Name = netCfg.overlay.interface;
         address = [ netCfg.overlay.cidr ];
         dns = netCfg.overlay.dnsServers;
-        domains = [ netCfg.overlay.domain ];
+        domains = [
+          "~${netCfg.overlay.domain}"
+          netCfg.overlay.domain
+        ];
         networkConfig.DNSSEC = false;
       };
     };

From 1f2c921b81a296757251cd3187a025cf4c689721 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Mon, 2 Mar 2026 01:41:46 +0100
Subject: [PATCH 5/8] Revert "nebula: Only route traffic from the overlay
 domain over the interface"

This reverts commit cb8d793df3babd7df787174c6e7a5068b91c576d.
---
 modules/nixos/services/nebula/default.nix | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/modules/nixos/services/nebula/default.nix b/modules/nixos/services/nebula/default.nix
index a681c93..45e2a7c 100644
--- a/modules/nixos/services/nebula/default.nix
+++ b/modules/nixos/services/nebula/default.nix
@@ -132,10 +132,7 @@ in
         matchConfig.Name = netCfg.overlay.interface;
         address = [ netCfg.overlay.cidr ];
         dns = netCfg.overlay.dnsServers;
-        domains = [
-          "~${netCfg.overlay.domain}"
-          netCfg.overlay.domain
-        ];
+        domains = [ netCfg.overlay.domain ];
         networkConfig.DNSSEC = false;
       };
     };

From 2b26c715f271e997353ee1cdd4b5ca7e05f7f89e Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Mon, 2 Mar 2026 01:49:08 +0100
Subject: [PATCH 6/8] nameservers: Restructure modules

---
 hosts/homeserver/default.nix                                | 2 +-
 hosts/vps-public/default.nix                                | 2 +-
 modules/nixos/networking/overlay.nix                        | 2 +-
 .../nixos/services/nameservers/{overlay.nix => private.nix} | 6 +++---
 modules/nixos/services/nameservers/public.nix               | 6 +++---
 tests/infrastructure/default.nix                            | 2 +-
 6 files changed, 10 insertions(+), 10 deletions(-)
 rename modules/nixos/services/nameservers/{overlay.nix => private.nix} (89%)

diff --git a/hosts/homeserver/default.nix b/hosts/homeserver/default.nix
index e8ff995..12b1f8b 100644
--- a/hosts/homeserver/default.nix
+++ b/hosts/homeserver/default.nix
@@ -21,7 +21,7 @@
       };
 
       services = {
-        nameservers.overlay.enable = true;
+        private-nameserver.enable = true;
 
         syncthing = {
           enable = true;
diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix
index 4991e42..c2bac90 100644
--- a/hosts/vps-public/default.nix
+++ b/hosts/vps-public/default.nix
@@ -21,7 +21,7 @@
         };
       };
 
-      services.nameservers.public = {
+      services.public-nameserver = {
         enable = true;
         zones = [
           "sprouted.cloud"
diff --git a/modules/nixos/networking/overlay.nix b/modules/nixos/networking/overlay.nix
index d67c7ed..3783352 100644
--- a/modules/nixos/networking/overlay.nix
+++ b/modules/nixos/networking/overlay.nix
@@ -63,7 +63,7 @@ in
       default =
         allHosts
         |> lib.attrValues
-        |> lib.filter (host: host.config.custom.services.nameservers.overlay.enable)
+        |> lib.filter (host: host.config.custom.services.private-nameserver.enable)
         |> lib.map (host: host.config.custom.networking.overlay.address);
     };
 
diff --git a/modules/nixos/services/nameservers/overlay.nix b/modules/nixos/services/nameservers/private.nix
similarity index 89%
rename from modules/nixos/services/nameservers/overlay.nix
rename to modules/nixos/services/nameservers/private.nix
index 54e9f32..b19982e 100644
--- a/modules/nixos/services/nameservers/overlay.nix
+++ b/modules/nixos/services/nameservers/private.nix
@@ -7,7 +7,7 @@
   ...
 }:
 let
-  cfg = config.custom.services.nameservers.overlay;
+  cfg = config.custom.services.private-nameserver;
   netCfg = config.custom.networking;
 
   zoneData = inputs.dns.lib.toString netCfg.overlay.domain {
@@ -20,7 +20,7 @@ let
     NS =
       allHosts
       |> lib.attrValues
-      |> lib.filter (host: host.config.custom.services.nameservers.overlay.enable)
+      |> lib.filter (host: host.config.custom.services.private-nameserver.enable)
       |> lib.map (host: "${host.config.custom.networking.overlay.fqdn}.");
 
     subdomains =
@@ -58,7 +58,7 @@ let
   };
 in
 {
-  options.custom.services.nameservers.overlay.enable = lib.mkEnableOption "";
+  options.custom.services.private-nameserver.enable = lib.mkEnableOption "";
 
   config = lib.mkIf cfg.enable {
     services = {
diff --git a/modules/nixos/services/nameservers/public.nix b/modules/nixos/services/nameservers/public.nix
index 2718038..79dbd6d 100644
--- a/modules/nixos/services/nameservers/public.nix
+++ b/modules/nixos/services/nameservers/public.nix
@@ -6,7 +6,7 @@
   ...
 }:
 let
-  cfg = config.custom.services.nameservers.public;
+  cfg = config.custom.services.public-nameserver;
   netCfg = config.custom.networking;
 
   zoneData =
@@ -38,7 +38,7 @@ let
       nsRecords =
         allHosts
         |> lib.attrValues
-        |> lib.filter (host: host.config.custom.services.nameservers.public.enable)
+        |> lib.filter (host: host.config.custom.services.public-nameserver.enable)
         |> lib.map (host: {
           name = host.config.custom.networking.hostName;
           inherit (host.config.custom.networking.underlay) address;
@@ -64,7 +64,7 @@ let
     };
 in
 {
-  options.custom.services.nameservers.public = {
+  options.custom.services.public-nameserver = {
     enable = lib.mkEnableOption "";
     zones = lib.mkOption {
       type = lib.types.nonEmptyListOf lib.types.nonEmptyStr;
diff --git a/tests/infrastructure/default.nix b/tests/infrastructure/default.nix
index ee077bf..0838d71 100644
--- a/tests/infrastructure/default.nix
+++ b/tests/infrastructure/default.nix
@@ -58,7 +58,7 @@
           };
         };
 
-        services.nameservers.overlay.enable = true;
+        services.private-nameserver.enable = true;
       };
     };
 

From ff0c07eb9d35005b3775fcfcac3efe16ebcb4ce8 Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Mon, 2 Mar 2026 01:51:07 +0100
Subject: [PATCH 7/8] nameservers: Complete restructuring

---
 hosts/vps-ns/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hosts/vps-ns/default.nix b/hosts/vps-ns/default.nix
index 98fdcce..c7c73ea 100644
--- a/hosts/vps-ns/default.nix
+++ b/hosts/vps-ns/default.nix
@@ -20,9 +20,9 @@
       };
     };
 
-    services.nameservers = {
-      overlay.enable = true;
-      public = {
+    services = {
+      private-nameserver.enable = true;
+      public-nameserver = {
         enable = true;
         zones = [
           "sprouted.cloud"

From af2fcea45c6f0a0ee3afbefb8cde529e977f96cd Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 2 Mar 2026 05:15:24 +0000
Subject: [PATCH 8/8] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'betterfox':
    'github:yokoffing/Betterfox/310cbdee6ca20eb881749a559cb572ce9272a981?narHash=sha256-D2MIFdYMS3xrfO2vDYjCmC3Ah96jg5XUzvwMX3xJQBo%3D' (2026-01-22)
  → 'github:yokoffing/Betterfox/f1c8e3809dbd23f4f9aa1e5e70805c61734b1f14?narHash=sha256-rUuEfbjIXox5x5ul/4VarIm7bii/SCcDJjocEbHA1kM%3D' (2026-02-28)
• Updated input 'comin':
    'github:nlewo/comin/d5bbf20a7e3afe492ab5b05e0250635f4e51da44?narHash=sha256-F59AGLXs/kLBYK8kfvev5OPoLmpb6G9XF/1vk27Gzu4%3D' (2026-02-25)
  → 'github:nlewo/comin/f3125c37f85bc0752930bb66a72f532e9ff9eb82?narHash=sha256-d9puAIgmq0emWPwHjGFklWoie9b9Qghy4GSL1YpgxIU%3D' (2026-03-01)
• Updated input 'firefox-addons':
    'gitlab:rycee/nur-expressions/80fa37b486765fc20784b7e3028a3eda04ce0067?dir=pkgs/firefox-addons&narHash=sha256-hZ5TwCAxef1e3S2V/BCL3LYaXYDyhXXu3SJjpmIxc/s%3D' (2026-02-28)
  → 'gitlab:rycee/nur-expressions/701de032cc247a1c309a34f0ed646e824efd7ac6?dir=pkgs/firefox-addons&narHash=sha256-mhv7yclJj%2BqCagNv0WOuob5yQNV1aTqKcJLfBMUqsVA%3D' (2026-03-02)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/57928607ea566b5db3ad13af0e57e921e6b12381?narHash=sha256-AnYjnFWgS49RlqX7LrC4uA%2BsCCDBj0Ry/WOJ5XWAsa0%3D' (2026-02-02)
  → 'github:hercules-ci/flake-parts/f20dc5d9b8027381c474144ecabc9034d6a839a3?narHash=sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0%3D' (2026-03-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/72716169fe93074c333e8d0173151350670b824c?narHash=sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ%2BQDT/KDuyHXVJOpM%3D' (2026-02-01)
  → 'github:nix-community/nixpkgs.lib/c185c7a5e5dd8f9add5b2f8ebeff00888b070742?narHash=sha256-e%2B/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB%2BQ%3D' (2026-03-01)
• Updated input 'home-manager':
    'github:nix-community/home-manager/36e38ca0d9afe4c55405fdf22179a5212243eecc?narHash=sha256-aqBl3GNpCadMoJ/hVkWTijM1Aeilc278MjM%2BLA3jK6g%3D' (2026-02-25)
  → 'github:nix-community/home-manager/a07a44a839eb036e950bf397d9b782916f8dcab3?narHash=sha256-8C%2By46xA9bxcchj9GeDPJaRUDApaA3sy2fhJr1bTbUw%3D' (2026-03-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/2fc6539b481e1d2569f25f8799236694180c0993?narHash=sha256-0MAd%2B0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU%3D' (2026-02-23)
  → 'github:nixos/nixpkgs/dd9b079222d43e1943b6ebd802f04fd959dc8e61?narHash=sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE%3D' (2026-02-27)
• Updated input 'sops':
    'github:Mic92/sops-nix/334daa7c273dd8bf7a0cd370e4e16022b64e55e9?narHash=sha256-/wA0OaH6kZ/pFA%2BnXR/tvg5oupOmEDmMS5us79JT60o%3D' (2026-02-25)
  → 'github:Mic92/sops-nix/d8be5ea4cd3bc363492ab5bc6e874ccdc5465fe4?narHash=sha256-YHykQg0h9hrlZGpMcywnaFzQ1Kn/5YNCCOSaaAl6z7Q%3D' (2026-03-01)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/71308308af11faffcace34b6512579c59ce45bcd?narHash=sha256-MkcFNrEGekMhQRUB0/F6Jacp/LBUgNvZuacAwhPt7I0%3D' (2026-02-28)
  → 'github:nix-community/nix-vscode-extensions/96e284c58556366535781d9a476121b2b5e839f1?narHash=sha256-%2BIjvRKrbSQX9/ikWy1ptPJBqG%2BRildNl7Cd9yypyzU0%3D' (2026-03-02)
---
 flake.lock | 54 +++++++++++++++++++++++++++---------------------------
 1 file changed, 27 insertions(+), 27 deletions(-)

diff --git a/flake.lock b/flake.lock
index 32fe23c..8af43d6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,11 +3,11 @@
     "betterfox": {
       "flake": false,
       "locked": {
-        "lastModified": 1769104536,
-        "narHash": "sha256-D2MIFdYMS3xrfO2vDYjCmC3Ah96jg5XUzvwMX3xJQBo=",
+        "lastModified": 1772315048,
+        "narHash": "sha256-rUuEfbjIXox5x5ul/4VarIm7bii/SCcDJjocEbHA1kM=",
         "owner": "yokoffing",
         "repo": "Betterfox",
-        "rev": "310cbdee6ca20eb881749a559cb572ce9272a981",
+        "rev": "f1c8e3809dbd23f4f9aa1e5e70805c61734b1f14",
         "type": "github"
       },
       "original": {
@@ -25,11 +25,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1772015457,
-        "narHash": "sha256-F59AGLXs/kLBYK8kfvev5OPoLmpb6G9XF/1vk27Gzu4=",
+        "lastModified": 1772353697,
+        "narHash": "sha256-d9puAIgmq0emWPwHjGFklWoie9b9Qghy4GSL1YpgxIU=",
         "owner": "nlewo",
         "repo": "comin",
-        "rev": "d5bbf20a7e3afe492ab5b05e0250635f4e51da44",
+        "rev": "f3125c37f85bc0752930bb66a72f532e9ff9eb82",
         "type": "github"
       },
       "original": {
@@ -88,11 +88,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1772251378,
-        "narHash": "sha256-hZ5TwCAxef1e3S2V/BCL3LYaXYDyhXXu3SJjpmIxc/s=",
+        "lastModified": 1772424169,
+        "narHash": "sha256-mhv7yclJj+qCagNv0WOuob5yQNV1aTqKcJLfBMUqsVA=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "80fa37b486765fc20784b7e3028a3eda04ce0067",
+        "rev": "701de032cc247a1c309a34f0ed646e824efd7ac6",
         "type": "gitlab"
       },
       "original": {
@@ -123,11 +123,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1769996383,
-        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
+        "lastModified": 1772408722,
+        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
+        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
         "type": "github"
       },
       "original": {
@@ -179,11 +179,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772020340,
-        "narHash": "sha256-aqBl3GNpCadMoJ/hVkWTijM1Aeilc278MjM+LA3jK6g=",
+        "lastModified": 1772380125,
+        "narHash": "sha256-8C+y46xA9bxcchj9GeDPJaRUDApaA3sy2fhJr1bTbUw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "36e38ca0d9afe4c55405fdf22179a5212243eecc",
+        "rev": "a07a44a839eb036e950bf397d9b782916f8dcab3",
         "type": "github"
       },
       "original": {
@@ -267,11 +267,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1769909678,
-        "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=",
+        "lastModified": 1772328832,
+        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "72716169fe93074c333e8d0173151350670b824c",
+        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
         "type": "github"
       },
       "original": {
@@ -282,11 +282,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1771848320,
-        "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
+        "lastModified": 1772198003,
+        "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2fc6539b481e1d2569f25f8799236694180c0993",
+        "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61",
         "type": "github"
       },
       "original": {
@@ -371,11 +371,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772048434,
-        "narHash": "sha256-/wA0OaH6kZ/pFA+nXR/tvg5oupOmEDmMS5us79JT60o=",
+        "lastModified": 1772401007,
+        "narHash": "sha256-YHykQg0h9hrlZGpMcywnaFzQ1Kn/5YNCCOSaaAl6z7Q=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "334daa7c273dd8bf7a0cd370e4e16022b64e55e9",
+        "rev": "d8be5ea4cd3bc363492ab5bc6e874ccdc5465fe4",
         "type": "github"
       },
       "original": {
@@ -467,11 +467,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772245870,
-        "narHash": "sha256-MkcFNrEGekMhQRUB0/F6Jacp/LBUgNvZuacAwhPt7I0=",
+        "lastModified": 1772419365,
+        "narHash": "sha256-+IjvRKrbSQX9/ikWy1ptPJBqG+RildNl7Cd9yypyzU0=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "71308308af11faffcace34b6512579c59ce45bcd",
+        "rev": "96e284c58556366535781d9a476121b2b5e839f1",
         "type": "github"
       },
       "original": {