diff --git a/nix/flake/kubenix/default.nix b/nix/flake/kubenix/default.nix
index b85535f..ffe83ec 100644
--- a/nix/flake/kubenix/default.nix
+++ b/nix/flake/kubenix/default.nix
@@ -24,6 +24,7 @@
             ./forgejo.nix
             ./media.nix
             ./bind9.nix
+            ./dnsmasq.nix
           ];
           kubernetes.kubeconfig = "~/.kube/config";
           kubenix.project = "home";
diff --git a/nix/flake/kubenix/dnsmasq.nix b/nix/flake/kubenix/dnsmasq.nix
new file mode 100644
index 0000000..a92477c
--- /dev/null
+++ b/nix/flake/kubenix/dnsmasq.nix
@@ -0,0 +1,65 @@
+{
+  kubernetes.resources = {
+    # TODO: generate this with nix?
+    configMaps.dnsmasq-config.data.config = ''
+      address=/kms.kun.is/192.168.30.129
+      address=/ssh.git.kun.is/192.168.30.132
+      alias=192.145.57.90,192.168.30.128
+      expand-hosts
+      host-record=hermes.dmz,192.168.30.135
+      local=/dmz/
+      log-queries
+      no-hosts
+      no-resolv
+      port=53
+      server=192.168.30.1
+      server=/kun.is/192.168.30.134
+    '';
+
+    deployments.dnsmasq = {
+      metadata.labels.app = "dnsmasq";
+
+      spec = {
+        selector.matchLabels.app = "dnsmasq";
+
+        template = {
+          metadata.labels.app = "dnsmasq";
+
+          spec = {
+            containers.dnsmasq = {
+              image = "dockurr/dnsmasq:2.90";
+
+              ports = [{
+                containerPort = 53;
+                protocol = "UDP";
+              }];
+
+              volumeMounts = [{
+                name = "config";
+                mountPath = "/etc/dnsmasq.conf";
+                subPath = "config";
+              }];
+            };
+
+            volumes = [{
+              name = "config";
+              configMap.name = "dnsmasq-config";
+            }];
+          };
+        };
+      };
+    };
+
+    services.dnsmasq.spec = {
+      type = "LoadBalancer";
+      loadBalancerIP = "192.168.30.135";
+      selector.app = "dnsmasq";
+
+      ports = [{
+        port = 53;
+        targetPort = 53;
+        protocol = "UDP";
+      }];
+    };
+  };
+}
diff --git a/nix/machines/default.nix b/nix/machines/default.nix
index 728a232..b01597a 100644
--- a/nix/machines/default.nix
+++ b/nix/machines/default.nix
@@ -63,7 +63,6 @@ in
     ./atlas.nix
     ./jefke.nix
     ./lewis.nix
-    ./hermes.nix
   ];
 
   options = {
diff --git a/nix/machines/hermes.nix b/nix/machines/hermes.nix
deleted file mode 100644
index 35b3061..0000000
--- a/nix/machines/hermes.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{
-  machines.hermes = {
-    kind = "virtual";
-    hypervisorName = "lewis";
-
-    nixosModule = { hypervisorConfig, ... }: {
-      lab = {
-        networking = {
-          dmz.services.enable = true;
-          staticNetworking = true;
-          staticIPv4 = hypervisorConfig.lab.networking.dmz.ipv4.services;
-          staticIPv6 = hypervisorConfig.lab.networking.dmz.ipv6.services;
-        };
-
-        vm = {
-          # TODO: would be cool to create a check that a mac address is only ever assigned to one VM.
-          # TODO: idea: what if we generated these IDs by hashing the host name and reducing that to the amount of hosts possible?
-          id = 7;
-
-          shares = [{
-            name = "dnsmasq";
-            mountPoint = "/var/lib/dnsmasq";
-          }];
-        };
-      };
-    };
-  };
-
-}
diff --git a/nix/modules/networking/default.nix b/nix/modules/networking/default.nix
index 0717415..f1fb650 100644
--- a/nix/modules/networking/default.nix
+++ b/nix/modules/networking/default.nix
@@ -1,8 +1,6 @@
 { lib, config, machine, ... }:
 let cfg = config.lab.networking;
 in {
-  imports = [ ./dmz_services ];
-
   options.lab.networking = {
     dmz = {
       allowConnectivity = lib.mkOption {
diff --git a/nix/modules/networking/dmz_services/default.nix b/nix/modules/networking/dmz_services/default.nix
deleted file mode 100644
index b81c32a..0000000
--- a/nix/modules/networking/dmz_services/default.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-{ lib, config, ... }@inputs:
-let
-  cfg = config.lab.networking.dmz.services;
-in
-{
-  options.lab.networking.dmz.services.enable = lib.mkOption {
-    default = false;
-    type = lib.types.bool;
-    description = ''
-      Whether to enable an authoritative DNS server and DNSmasq for DMZ network.
-    '';
-  };
-
-  config = lib.mkIf cfg.enable {
-    # TODO Remove this; make this explicit in the machine config.
-    lab.networking.dmz.allowConnectivity = true;
-
-    # TODO: listen only on dmz interface, make this portable between physical and VM.
-    networking.firewall = {
-      allowedTCPPorts = [ 53 5353 ];
-      allowedUDPPorts = [ 53 67 5353 ];
-    };
-
-    services = {
-      dnsmasq = {
-        enable = true;
-        settings = import ./dnsmasq.nix inputs;
-      };
-    };
-  };
-}
diff --git a/nix/modules/networking/dmz_services/dnsmasq.nix b/nix/modules/networking/dmz_services/dnsmasq.nix
deleted file mode 100644
index 124d247..0000000
--- a/nix/modules/networking/dmz_services/dnsmasq.nix
+++ /dev/null
@@ -1,46 +0,0 @@
-{ config, ... }:
-let
-  cfg = config.lab.networking;
-in
-{
-  no-resolv = true;
-  local = "/dmz/";
-  dhcp-fqdn = true;
-  no-hosts = true;
-  expand-hosts = true;
-  domain = "dmz";
-  dhcp-authoritative = true;
-  ra-param = "*,0,0";
-  alias = "${cfg.public.ipv4.router},192.168.30.128";
-  log-dhcp = true;
-  log-queries = true;
-  port = "5353";
-  host-record = [
-    "hermes.dmz,${cfg.dmz.ipv4.services},${cfg.dmz.ipv6.services}"
-  ];
-
-  server = [
-    cfg.dmz.ipv4.router
-    "/kun.is/192.168.30.134"
-  ];
-
-  dhcp-range = [
-    "192.168.30.50,192.168.30.127,15m"
-    "2a0d:6e00:1a77:30::,ra-stateless,ra-names"
-  ];
-
-  dhcp-host = [
-    "b8:27:eb:b9:ab:e2,esrom"
-  ];
-
-  dhcp-option = [
-    "3,${cfg.dmz.ipv4.router}"
-    "option:dns-server,${cfg.dmz.ipv4.router}"
-    "option6:dns-server,[2a02:58:19a:30::1]"
-  ];
-
-  address = [
-    "/kms.kun.is/192.168.30.129"
-    "/ssh.git.kun.is/192.168.30.132"
-  ];
-}
diff --git a/nix/modules/networking/dmz_services/zones/kun.is.nix b/nix/modules/networking/dmz_services/zones/kun.is.nix
deleted file mode 100644
index d33d37c..0000000
--- a/nix/modules/networking/dmz_services/zones/kun.is.nix
+++ /dev/null
@@ -1,51 +0,0 @@
-{ config, dns, ... }:
-with dns.lib.combinators;
-let
-  cfg = config.lab.networking;
-in
-{
-  CAA = letsEncrypt "caa@kun.is";
-
-  SOA = {
-    nameServer = "ns1";
-    adminEmail = "webmaster@kun.is";
-    serial = 2024021702;
-  };
-
-  NS = [
-    "ns1.kun.is."
-    "ns2.kun.is."
-  ];
-
-  MX = [
-    (mx.mx 10 "mail.kun.is.")
-  ];
-
-  TXT = [
-    (with spf; soft [ "include:spf.glasnet.nl" ])
-  ];
-
-  subdomains = rec {
-    "*".A = [ cfg.public.ipv4.router ];
-
-    ns = host cfg.public.ipv4.router cfg.dmz.ipv6.services;
-    ns1 = ns;
-    ns2 = ns;
-
-    # Override because wg is on opnsense so ipv6 differs from "cfg.dmz.ipv6.services"
-    wg = host cfg.public.ipv4.router cfg.dmz.ipv6.router;
-
-    #for SMTP2GO to be able send emails from kun.is domain
-    em670271 = {
-      CNAME = [ "return.smtp2go.net." ];
-    };
-
-    "s670271._domainkey" = {
-      CNAME = [ "dkim.smtp2go.net." ];
-    };
-
-    link = {
-      CNAME = [ "track.smtp2go.net." ];
-    };
-  };
-}