diff --git a/flake.lock b/flake.lock
index 56d7ef7..7bbdbc0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5,7 +5,7 @@
         "crane": "crane",
         "flake-utils": "flake-utils",
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ]
       },
       "locked": {
@@ -181,16 +181,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1748037224,
-        "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=",
+        "lastModified": 1748162331,
+        "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f09dede81861f3a83f7f06641ead34f02f37597f",
+        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -210,22 +210,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1747744144,
-        "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "breeze": "breeze",
@@ -234,7 +218,6 @@
         "flake-parts": "flake-parts",
         "impermanence": "impermanence",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "sim-breeze": "sim-breeze",
         "sops-nix": "sops-nix"
       }
diff --git a/flake.nix b/flake.nix
index 6123858..d101a40 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,8 +2,7 @@
   description = "computer systems infrastructure";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
 
     flake-parts.url = "github:hercules-ci/flake-parts";
 
@@ -19,7 +18,7 @@
     impermanence.url = "github:nix-community/impermanence";
 
     breeze.url = "git+https://git.min.rip/min/breeze.git";
-    breeze.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    breeze.inputs.nixpkgs.follows = "nixpkgs";
 
     sim-breeze.url = "git+ssh://git@git.min.rip/min/sim-breeze.git";
     sim-breeze.inputs.nixpkgs.follows = "nixpkgs";
@@ -43,10 +42,10 @@
       }: {
         devShells.default = pkgs.mkShell {
           packages = with pkgs; [
-            inputs'.nixpkgs-unstable.legacyPackages.sops
+            sops
             ssh-to-age
             openssl
-            inputs'.nixpkgs-unstable.legacyPackages.nebula
+            nebula
             # not included: age, age-plugin-yubikey, pcscd
 
             wireguard-tools
diff --git a/nixos/hosts/eidola/nebula.nix b/nixos/hosts/eidola/nebula.nix
index 80743c6..da15334 100644
--- a/nixos/hosts/eidola/nebula.nix
+++ b/nixos/hosts/eidola/nebula.nix
@@ -1,11 +1,10 @@
 {config, ...}: let
-  inherit (import ../../modules/nebula/shared.nix) userGroup service;
+  inherit (import ../../modules/nebula/shared.nix) userGroup;
 in {
   sops.secrets."nebula-key" = {
     mode = "0440";
     owner = userGroup;
     group = userGroup;
-    restartUnits = [service];
   };
 
   # TODO: why?
diff --git a/nixos/hosts/silver/services/nebula.nix b/nixos/hosts/silver/services/nebula.nix
index 206267e..0ecb745 100644
--- a/nixos/hosts/silver/services/nebula.nix
+++ b/nixos/hosts/silver/services/nebula.nix
@@ -1,11 +1,10 @@
 {config, ...}: let
-  inherit (import ../../../modules/nebula/shared.nix) userGroup service;
+  inherit (import ../../../modules/nebula/shared.nix) userGroup;
 in {
   sops.secrets."svc-nebula-key" = {
     mode = "0440";
     owner = userGroup;
     group = userGroup;
-    restartUnits = [service];
   };
 
   networking.firewall.allowedUDPPorts = [4242];
diff --git a/nixos/modules/nebula/default.nix b/nixos/modules/nebula/default.nix
index e4ee2f2..dd2001f 100644
--- a/nixos/modules/nebula/default.nix
+++ b/nixos/modules/nebula/default.nix
@@ -4,7 +4,7 @@
   ...
 }:
 with lib; let
-  inherit (import ./shared.nix) netName interface service;
+  inherit (import ./shared.nix) netName interface;
 
   ca = ../../keys/ca.crt;
 
@@ -81,28 +81,21 @@ in {
     };
   };
 
-  config = mkMerge [
-    (mkIf cfg.enable {
-      networking.firewall.trustedInterfaces = [interface];
+  config = mkIf cfg.enable {
+    networking.firewall.trustedInterfaces = [interface];
 
-      services.nebula.networks.${netName} = mkMerge [
-        {
-          inherit ca;
-          inherit (cfg) cert key;
+    services.nebula.networks.${netName} = mkMerge [
+      {
+        inherit ca;
+        inherit (cfg) cert key;
 
-          firewall = {
-            inherit (baseFirewall) outbound;
-            inbound = baseFirewall.inbound ++ cfg.extraInbound;
-          };
-        }
-        (mkIf cfg.enableLighthouse baseServer)
-        (mkIf (!cfg.enableLighthouse) baseClient)
-      ];
-    })
-    (mkIf config.services.openssh.enable {
-      # Make sure sshd starts after nebula
-      # TODO: is this necessary?
-      systemd.services.sshd.after = [service];
-    })
-  ];
+        firewall = {
+          inherit (baseFirewall) outbound;
+          inbound = baseFirewall.inbound ++ cfg.extraInbound;
+        };
+      }
+      (mkIf cfg.enableLighthouse baseServer)
+      (mkIf (!cfg.enableLighthouse) baseClient)
+    ];
+  };
 }
diff --git a/nixos/modules/nebula/shared.nix b/nixos/modules/nebula/shared.nix
index 705506c..aed7980 100644
--- a/nixos/modules/nebula/shared.nix
+++ b/nixos/modules/nebula/shared.nix
@@ -4,5 +4,4 @@ rec {
   # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix
   interface = "nebula.${netName}";
   userGroup = "nebula-${netName}";
-  service = "nebula@${netName}.service";
 }