diff --git a/CHANGELOG.md b/CHANGELOG.md
index 11fa0a1..2a7852b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ Please choose versions by [Semantic Versioning](http://semver.org/).
 
 ## Unreleased
 - Update nwfilter configuration to use explicit rule-based format for better clarity
+- Fix nwfilter reload to preserve UUID and avoid libvirt format drift
 
 ## v0.3.5
 - Fix CI test failures by ignoring missing vault faults
diff --git a/bundles/kvm-host/items.py b/bundles/kvm-host/items.py
index 096d99a..e47f372 100644
--- a/bundles/kvm-host/items.py
+++ b/bundles/kvm-host/items.py
@@ -6,6 +6,7 @@
 svc_systemd = {}
 directories = {}
 symlinks = {}
+actions = {}
 
 if node.metadata.get('kvm-host', {}).get('enabled', False):
     svc_systemd['libvirtd'] = {
@@ -45,17 +46,35 @@
     }
 
     # nwfilter support for VM network restrictions
+    directories['/etc/bundlewrap/nwfilter'] = {
+        'owner': 'root',
+        'group': 'root',
+        'mode': '0755',
+    }
+
     for vm_name, filter_config in node.metadata.get('kvm-host', {}).get('nwfilters', {}).items():
         filter_name = f'restrict-{vm_name}'
 
-        files[f'/etc/libvirt/nwfilter/{filter_name}.xml'] = {
+        # Store our template in bundlewrap directory (not libvirt's)
+        files[f'/etc/bundlewrap/nwfilter/{filter_name}.xml'] = {
             'source': 'nwfilter.xml',
             'content_type': 'mako',
-            'mode': '0600',
+            'mode': '0644',
             'owner': 'root',
             'group': 'root',
             'context': {
                 'filter_name': filter_name,
                 'rules': filter_config.get('rules', []),
             },
+            'triggers': [f'action:nwfilter_reload_{filter_name}'],
+        }
+
+        # Only define if different from current
+        actions[f'nwfilter_reload_{filter_name}'] = {
+            'command': (
+                f'UUID=$(virsh nwfilter-dumpxml {filter_name} 2>/dev/null | grep -oP "(?<=<uuid>)[^<]+") && '
+                f'sed "1 a\\  <uuid>$UUID</uuid>" /etc/bundlewrap/nwfilter/{filter_name}.xml | virsh nwfilter-define /dev/stdin || '
+                f'virsh nwfilter-define /etc/bundlewrap/nwfilter/{filter_name}.xml'
+            ),
+            'triggered': True,
         }
diff --git a/nodes/hm.nuke.py b/nodes/hm.nuke.py
index 26f946f..6d3ca92 100644
--- a/nodes/hm.nuke.py
+++ b/nodes/hm.nuke.py
@@ -29,9 +29,6 @@
                 'devices': ['/dev/nvme0n1', '/dev/nvme1n1', '/dev/nvme2n1', '/dev/nvme3n1'],
             }
         },
-        'monit': {
-            'test_alert': True,
-        },
         'msmtp': {
             'enabled': True,
             'host': '172.16.90.1',