diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index 98822e5..44f4fc1 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -128,6 +128,18 @@
     ];
   };
 
+  # Lock /etc/nixos to read-only mode (config lives in /home/ocbwoy3/config).
+  systemd.tmpfiles.rules = [
+    "z /etc/nixos 0555 root root - -"
+  ];
+
+  # Force resolver config to Cloudflare only.
+  networking.nameservers = lib.mkForce [ "1.1.1.1" ];
+  environment.etc."resolv.conf".text = lib.mkForce ''
+    nameserver 1.1.1.1
+  '';
+
+
   catppuccin = {
     enable = true;
     flavor = "mocha";