diff --git a/hosts.nix b/hosts.nix
index 69fe10e..0b37306 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -10,7 +10,6 @@
     hostname = "nuc";
     ip = "10.42.42.42";
     mac = "1C:69:7A:62:30:88";
-    ip6 = "";
     nix = false;
   }
   {
diff --git a/nixos/common/default.nix b/nixos/common/default.nix
index c772366..f7d9908 100644
--- a/nixos/common/default.nix
+++ b/nixos/common/default.nix
@@ -32,6 +32,7 @@
   };
 
   nixpkgs.config.allowUnfree = true;
+  nixpkgs.overlays = [ (import ../pkgs) ];
 
   # Limit the systemd journal to 100 MB of disk or the
   # last 7 days of logs, whichever happens first.
diff --git a/nixos/hosts/dns/configuration.nix b/nixos/hosts/dns/configuration.nix
index c450dcb..d4535f4 100644
--- a/nixos/hosts/dns/configuration.nix
+++ b/nixos/hosts/dns/configuration.nix
@@ -1,7 +1,8 @@
 { config, pkgs, hosts, ... }:
-let 
+let
+  inherit (builtins) filter hasAttr;
   localdomain = "olympus";
-  ipv6Hosts = builtins.filter (builtins.hasAttr ip6) hosts;
+  ipv6Hosts = filter (hasAttr "ip6") hosts;
 
   localData = { hostname, ip, ... }: ''"${hostname}.${localdomain}. A ${ip}"'';
   local6Data = { hostname, ip6, ... }: ''"${hostname}.${localdomain}. AAAA ${ip6}"'';
@@ -21,13 +22,14 @@ in {
   system.stateVersion = "21.11"; # Did you read the comment?
 
   # Additional packages
-  environment.systemPackages = with pkgs; [ dig ];
+  environment.systemPackages = with pkgs; [ dig dog drill ];
 
   networking.firewall.allowedTCPPorts = [ 53 ];
   networking.firewall.allowedUDPPorts = [ 53 ];
 
   services.unbound = {
     enable = true;
+    package = pkgs.v.unbound;
     settings = {
       server = {
         use-syslog = "yes";
@@ -37,7 +39,7 @@ in {
 
         local-zone = ''"${localdomain}." transparent'';
         local-data = (map localData hosts) ++ (map local6Data ipv6Hosts);
-        local-data-ptr = (map ptrData hosts);
+        local-data-ptr = (map ptrData hosts) ++ (map ptr6Data ipv6Hosts);
 
         access-control = [
           "127.0.0.1/32 allow_snoop"
@@ -61,10 +63,6 @@ in {
           "fe80::/10"
         ];
       };
-      # forward-zone = {
-      #   name = ''"."'';
-      #   forward-addr = [ "8.8.8.8" "9.9.9.9" ];
-      # };
     };
   };
 }
diff --git a/nixos/hosts/mosquitto/configuration.nix b/nixos/hosts/mosquitto/configuration.nix
index 29b1924..5a13ba5 100644
--- a/nixos/hosts/mosquitto/configuration.nix
+++ b/nixos/hosts/mosquitto/configuration.nix
@@ -5,8 +5,7 @@
 { config, pkgs, ... }:
 let mosquittoPort = 1883;
 in {
-  imports = [
-  ];
+  imports = [ ];
 
   networking.hostName = "mosquitto";
 
@@ -56,5 +55,6 @@ in {
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ mosquittoPort config.services.zigbee2mqtt.settings.frontend.port ];
+  networking.firewall.allowedTCPPorts =
+    [ mosquittoPort config.services.zigbee2mqtt.settings.frontend.port ];
 }
diff --git a/nixos/hosts/nginx/configuration.nix b/nixos/hosts/nginx/configuration.nix
index c28bc31..9816352 100644
--- a/nixos/hosts/nginx/configuration.nix
+++ b/nixos/hosts/nginx/configuration.nix
@@ -1,20 +1,16 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
 { config, pkgs, ... }:
 let
-  k8s_proxy = {
+  proxy = url: {
     enableACME = true;
     forceSSL = true;
     locations."/" = {
-      proxyPass = "http://10.42.42.150:8000/";
+      proxyPass = url;
       proxyWebsockets = true;
     };
   };
+  k8s_proxy = proxy "http://10.42.42.150:8000/";
 in {
-  imports = [
-  ];
+  imports = [ ];
 
   networking.hostName = "nginx";
 
@@ -36,23 +32,9 @@ in {
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
 
-    virtualHosts."ha.0x76.dev" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://10.42.42.8:8123/";
-        proxyWebsockets = true;
-      };
-    };
-
-    virtualHosts."zookeeper-dev.0x76.dev" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://10.42.43.28:8085/";
-        proxyWebsockets = true;
-      };
-    };
+    # Reverse Proxies
+    virtualHosts."ha.0x76.dev" = proxy "http://10.42.42.8:8123/";
+    virtualHosts."zookeeper-dev.0x76.dev" = proxy "http://10.42.43.28:8085/";
 
     # Kubernetes endpoints
     virtualHosts."0x76.dev" = k8s_proxy;
diff --git a/nixos/hosts/vault/configuration.nix b/nixos/hosts/vault/configuration.nix
index 533f8b9..9553941 100644
--- a/nixos/hosts/vault/configuration.nix
+++ b/nixos/hosts/vault/configuration.nix
@@ -3,11 +3,8 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, pkgs, ... }:
-
-{
-  imports = [
-  ];
-
+let port = 8200;
+in {
   networking.hostName = "vault";
 
   # This value determines the NixOS release from which the default
@@ -22,13 +19,13 @@
   environment.systemPackages = with pkgs; [ ];
 
   # Vault
-  networking.firewall.allowedTCPPorts = [ 8200 ];
+  networking.firewall.allowedTCPPorts = [ port ];
 
   services.vault = {
     enable = true;
     # bin version includes the UI
     package = pkgs.vault-bin;
-    address = "0.0.0.0:8200";
+    address = "0.0.0.0:${toString port}";
     storageBackend = "file";
     storagePath = "/var/lib/vault";
     extraConfig = ''
diff --git a/nixos/pkgs/default.nix b/nixos/pkgs/default.nix
new file mode 100644
index 0000000..42fa93a
--- /dev/null
+++ b/nixos/pkgs/default.nix
@@ -0,0 +1,10 @@
+final: prev: {
+  v = {
+    unbound = prev.unbound.override {
+      withSystemd = true;
+      withDoH = true;
+      withDNSCrypt = true;
+      withTFO = true;
+    };
+  };
+}