stubby: make resolv.conf immutable

profiles/misc/stubby.nix

@@ -1,4 +1,4 @@
-{ ... }: {
+{ pkgs, ... }: {
   services.stubby = {
     enable = true;
     upstreamServers = ''
@@ -21,6 +21,13 @@
     };
   };
 
+  system.activationScripts.immutableDns = {
+    text = ''
+      ${pkgs.e2fsprogs}/bin/chattr +i /etc/resolv.conf
+    '';
+    deps = [ ];
+  };
+
   networking = {
     networkmanager.dns = "none";
     resolvconf.dnsExtensionMechanism = false;