diff --git a/cluster/staging/site/neptune.nix b/cluster/staging/site/neptune.nix
index 3da3717..506da65 100644
--- a/cluster/staging/site/neptune.nix
+++ b/cluster/staging/site/neptune.nix
@@ -9,6 +9,10 @@
   deuxfleurs.nameservers = [ "192.168.1.1" ];
   deuxfleurs.cname_target = "neptune.site.staging.deuxfleurs.org.";
 
+  # no public ipv4 is used for the staging cluster on Neptune,
+  # because the Internet connection is already used for the prod cluster
+  # deuxfleurs.public_ipv4 = "77.207.15.215";
+
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   services.cron = {
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index 28161dc..7c7c6d3 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -90,9 +90,15 @@ in
       description = "Site (availability zone) on which this node is deployed";
       type = types.str;
     };
-    cname_target = mkOption {
-      description = "DNS CNAME target to use for services hosted in this site, for domain names that are updated by DiploNAT";
+    public_ipv4 = mkOption {
+      description = "Public IPv4 through which this node is accessible (possibly after port opening using DiploNAT), for domain names that are updated by D53";
       type = types.nullOr types.str;
+      default = null;
+    };
+    cname_target = mkOption {
+      description = "DNS CNAME target to use for services hosted in this site, for domain names that are updated by D53";
+      type = types.nullOr types.str;
+      default = null;
     };
     nameservers = mkOption {
       description = "External DNS servers to use";
@@ -133,6 +139,9 @@ in
         "site" = cfg.site_name;
         "public_ipv6" = cfg.ipv6;
       } //
+      (if cfg.public_ipv4 != null
+        then { "public_ipv4" = cfg.public_ipv4; }
+        else {}) //
       (if cfg.cname_target != null
         then { "cname_target" = cfg.cname_target; }
         else {});