From a825e36e2e544f81104091d922e34c8852ee6c14 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Wed, 22 Apr 2026 19:57:55 +0100
Subject: [PATCH] Make AdGuard settings authoritative; add busybox; drop
 fallback DNS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- services/adguard.nix: mutableSettings = false so Nix config overrides
  UI-made changes on rebuild (settings are the source of truth)
- common.nix: add busybox for its collection of handy utilities
- common.nix: remove networking.nameservers — DNS now comes purely from
  per-host NetworkManager config (AdGuard as the only resolver, no leaks)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 common.nix           | 2 +-
 services/adguard.nix | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/common.nix b/common.nix
index a5d95a3..34a4894 100644
--- a/common.nix
+++ b/common.nix
@@ -67,7 +67,6 @@
 
   # Enable network-manager
   networking.networkmanager.enable = true;
-  networking.nameservers = [ "1.1.1.1" "9.9.9.9" ];
 
   # Fish shell
   programs.fish.enable = true;
@@ -87,5 +86,6 @@
       git
       localsend
       nvd
+      busybox
   ];
 }
diff --git a/services/adguard.nix b/services/adguard.nix
index 109e2eb..5b69a28 100644
--- a/services/adguard.nix
+++ b/services/adguard.nix
@@ -8,8 +8,8 @@
       # Web UI bound to localhost; nginx reverse-proxies at adguard.nordhammer.it
       host = "127.0.0.1";
       port = 3000;
-      # Allow UI changes (blocklists, rules, clients) to persist
-      mutableSettings = true;
+      # Nix is authoritative: settings below overwrite UI-made changes on rebuild
+      mutableSettings = false;
       settings = {
         dns = {
           bind_hosts = [ "0.0.0.0" ];