From c37c83b931a74489299b44b74bfc1b0c3acbdc3e Mon Sep 17 00:00:00 2001
From: Kris <ocbwoy3@ocbwoy3.dev>
Date: Wed, 25 Feb 2026 16:03:28 +0200
Subject: [PATCH] server: lock /etc/nixos read-only and force resolv.conf to
 1.1.1.1

---
 hosts/server/configuration.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index 98822e5..44f4fc1 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -128,6 +128,18 @@
     ];
   };
 
+  # Lock /etc/nixos to read-only mode (config lives in /home/ocbwoy3/config).
+  systemd.tmpfiles.rules = [
+    "z /etc/nixos 0555 root root - -"
+  ];
+
+  # Force resolver config to Cloudflare only.
+  networking.nameservers = lib.mkForce [ "1.1.1.1" ];
+  environment.etc."resolv.conf".text = lib.mkForce ''
+    nameserver 1.1.1.1
+  '';
+
+
   catppuccin = {
     enable = true;
     flavor = "mocha";