From 2a6d36f71b6c7b22aa055ef903dbd9aae6792f88 Mon Sep 17 00:00:00 2001
From: trading-for-ben <benjamin.borbe+trading@gmail.com>
Date: Sun, 22 Feb 2026 17:42:21 +0000
Subject: [PATCH 1/4] Use virsh nwfilter-define to reload filters (avoid
 libvirt format drift)

When nwfilter XML files change, trigger virsh nwfilter-define to reload them.
This avoids perpetual diffs caused by libvirt adding UUID/comments to the files.
---
 bundles/kvm-host/items.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/bundles/kvm-host/items.py b/bundles/kvm-host/items.py
index 096d99a..0667f13 100644
--- a/bundles/kvm-host/items.py
+++ b/bundles/kvm-host/items.py
@@ -58,4 +58,11 @@
                 'filter_name': filter_name,
                 'rules': filter_config.get('rules', []),
             },
+            'triggers': [f'action:nwfilter_define_{filter_name}'],
+        }
+
+        actions[f'nwfilter_define_{filter_name}'] = {
+            'command': f'virsh nwfilter-define /etc/libvirt/nwfilter/{filter_name}.xml',
+            'triggered': True,
+            'cascade_skip': False,
         }

From cae803caba3b0ae409ec3a389f62016099356a46 Mon Sep 17 00:00:00 2001
From: Benjamin Borbe <benjamin.borbe@gmail.com>
Date: Sun, 22 Feb 2026 18:50:45 +0100
Subject: [PATCH 2/4] add golang

---
 bundles/kvm-host/items.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/bundles/kvm-host/items.py b/bundles/kvm-host/items.py
index 0667f13..7e332d0 100644
--- a/bundles/kvm-host/items.py
+++ b/bundles/kvm-host/items.py
@@ -6,6 +6,7 @@
 svc_systemd = {}
 directories = {}
 symlinks = {}
+actions = {}
 
 if node.metadata.get('kvm-host', {}).get('enabled', False):
     svc_systemd['libvirtd'] = {
@@ -45,24 +46,31 @@
     }
 
     # nwfilter support for VM network restrictions
+    directories['/etc/bundlewrap/nwfilter'] = {
+        'owner': 'root',
+        'group': 'root',
+        'mode': '0755',
+    }
+
     for vm_name, filter_config in node.metadata.get('kvm-host', {}).get('nwfilters', {}).items():
         filter_name = f'restrict-{vm_name}'
 
-        files[f'/etc/libvirt/nwfilter/{filter_name}.xml'] = {
+        # Store our template in bundlewrap directory (not libvirt's)
+        files[f'/etc/bundlewrap/nwfilter/{filter_name}.xml'] = {
             'source': 'nwfilter.xml',
             'content_type': 'mako',
-            'mode': '0600',
+            'mode': '0644',
             'owner': 'root',
             'group': 'root',
             'context': {
                 'filter_name': filter_name,
                 'rules': filter_config.get('rules', []),
             },
-            'triggers': [f'action:nwfilter_define_{filter_name}'],
+            'triggers': [f'action:nwfilter_reload_{filter_name}'],
         }
 
-        actions[f'nwfilter_define_{filter_name}'] = {
-            'command': f'virsh nwfilter-define /etc/libvirt/nwfilter/{filter_name}.xml',
+        # Only define if different from current
+        actions[f'nwfilter_reload_{filter_name}'] = {
+            'command': f'virsh nwfilter-define /etc/bundlewrap/nwfilter/{filter_name}.xml',
             'triggered': True,
-            'cascade_skip': False,
         }

From f7379df0094490a0233c3d87e80e6d584ba595b8 Mon Sep 17 00:00:00 2001
From: Benjamin Borbe <benjamin.borbe@gmail.com>
Date: Sun, 22 Feb 2026 18:53:12 +0100
Subject: [PATCH 3/4] rm test alert

---
 nodes/hm.nuke.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/nodes/hm.nuke.py b/nodes/hm.nuke.py
index 26f946f..6d3ca92 100644
--- a/nodes/hm.nuke.py
+++ b/nodes/hm.nuke.py
@@ -29,9 +29,6 @@
                 'devices': ['/dev/nvme0n1', '/dev/nvme1n1', '/dev/nvme2n1', '/dev/nvme3n1'],
             }
         },
-        'monit': {
-            'test_alert': True,
-        },
         'msmtp': {
             'enabled': True,
             'host': '172.16.90.1',

From 6a5b3e03220acc3e43f65bbfbfaab0750d6ce3c3 Mon Sep 17 00:00:00 2001
From: Benjamin Borbe <benjamin.borbe@gmail.com>
Date: Sun, 22 Feb 2026 19:45:41 +0100
Subject: [PATCH 4/4] preserve nwfilter UUID on reload to avoid libvirt
 conflicts

---
 CHANGELOG.md              | 1 +
 bundles/kvm-host/items.py | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 11fa0a1..2a7852b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ Please choose versions by [Semantic Versioning](http://semver.org/).
 
 ## Unreleased
 - Update nwfilter configuration to use explicit rule-based format for better clarity
+- Fix nwfilter reload to preserve UUID and avoid libvirt format drift
 
 ## v0.3.5
 - Fix CI test failures by ignoring missing vault faults
diff --git a/bundles/kvm-host/items.py b/bundles/kvm-host/items.py
index 7e332d0..e47f372 100644
--- a/bundles/kvm-host/items.py
+++ b/bundles/kvm-host/items.py
@@ -71,6 +71,10 @@
 
         # Only define if different from current
         actions[f'nwfilter_reload_{filter_name}'] = {
-            'command': f'virsh nwfilter-define /etc/bundlewrap/nwfilter/{filter_name}.xml',
+            'command': (
+                f'UUID=$(virsh nwfilter-dumpxml {filter_name} 2>/dev/null | grep -oP "(?<=<uuid>)[^<]+") && '
+                f'sed "1 a\\  <uuid>$UUID</uuid>" /etc/bundlewrap/nwfilter/{filter_name}.xml | virsh nwfilter-define /dev/stdin || '
+                f'virsh nwfilter-define /etc/bundlewrap/nwfilter/{filter_name}.xml'
+            ),
             'triggered': True,
         }