diff --git a/.hooks/post-commit b/.hooks/post-commit
index 03a160d..56c439d 100755
--- a/.hooks/post-commit
+++ b/.hooks/post-commit
@@ -3,12 +3,4 @@
 
 echo "restoring stashed changes"
 
-# Find the most recent pre-commit stash and restore it
-recent_stash=$(git stash list | grep "pre-commit-stash-" | head -n 1 | cut -d: -f1)
-
-if [ -n "$recent_stash" ]; then
-    echo "Found recent pre-commit stash: $recent_stash"
-    git stash pop -q "$recent_stash"
-else
-    echo "No pre-commit stash found to restore"
-fi
+git stash pop -q
diff --git a/.hooks/post-merge b/.hooks/post-merge
index 06fabc3..11fb20c 100755
--- a/.hooks/post-merge
+++ b/.hooks/post-merge
@@ -4,28 +4,14 @@
 # Get current branch name
 current_branch=$(git branch --show-current)
 
-# Only perform actions if we're on main branch and a merge just completed
+# Only restore stash if we're on main branch and a merge just completed
 if [ "$current_branch" = "main" ]; then
-    echo "Post-merge on main branch - running nix flake check"
-    
-    # Run nix flake check after merge into main
-    nix flake check
-    
-    if [ ! $? -eq 0 ]; then
-        echo "Warning: nix flake check failed after merge into main"
-        echo "Please fix the issues as soon as possible"
+    # Check if there are any stashes to restore
+    if git stash list | grep -q "stash@"; then
+        echo "Post-merge: restoring stashed changes on main branch"
+        git stash pop -q
     else
-        echo "nix flake check passed after merge"
-    fi
-    
-    # Check if there are any pre-commit stashes to restore
-    recent_stash=$(git stash list | grep "pre-commit-stash-" | head -n 1 | cut -d: -f1)
-    
-    if [ -n "$recent_stash" ]; then
-        echo "Post-merge: restoring pre-commit stash on main branch"
-        git stash pop -q "$recent_stash"
-    else
-        echo "Post-merge: no pre-commit stash to restore on main branch"
+        echo "Post-merge: no stash to restore on main branch"
     fi
 else
     echo "Post-merge: no action needed on branch '$current_branch'"
diff --git a/.hooks/pre-commit b/.hooks/pre-commit
index 74cbc64..f98c64f 100755
--- a/.hooks/pre-commit
+++ b/.hooks/pre-commit
@@ -1,24 +1,14 @@
 #!/usr/bin/env nix-shell
 #! nix-shell -i bash ../shell.nix
 
-# Get current branch name
-current_branch=$(git branch --show-current)
+echo "stashing all uncommitted changes"
+git stash -q --keep-index
 
-echo "stashing all uncommitted changes with named stash (excluding hooks)"
-git stash push -q --keep-index -m "pre-commit-stash-$(date +%s)" -- ':!.hooks/'
+echo "checking flakes all compile"
+nix flake check
 
-# Only run nix flake check if we're on main branch
-if [ "$current_branch" = "main" ]; then
-    echo "On main branch - checking flakes all compile"
-    nix flake check
-
-    if [ ! $? -eq 0 ]; then
-        echo "Error: nix flake check failed on main branch"
-        exit 1
-    fi
-    echo "nix flake check passed"
-else
-    echo "Not on main branch - skipping nix flake check"
+if [ ! $? -eq 0 ]; then
+    exit 1
 fi
 
 echo "running linter"
@@ -29,4 +19,4 @@ RESULT=$?
 echo "adding lint changes to commit"
 git add -u
 
-exit $RESULT
+exit $RESULT
\ No newline at end of file
diff --git a/.hooks/pre-merge-commit b/.hooks/pre-merge-commit
index 9b7b41d..9edaf92 100755
--- a/.hooks/pre-merge-commit
+++ b/.hooks/pre-merge-commit
@@ -17,8 +17,8 @@ fi
 if [ "$target_branch" = "main" ]; then
     echo "Merging into main branch - running nix flake check..."
     
-    echo "stashing all uncommitted changes with named stash (excluding hooks)"
-    git stash push -q --keep-index -m "pre-merge-stash-$(date +%s)" -- ':!.hooks/'
+    echo "stashing all uncommitted changes"
+    git stash -q --keep-index
 
     echo "checking flakes all compile"
     nix flake check
diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix
index 6d2925a..c2b8fc5 100644
--- a/configurations/nixos/defiant/configuration.nix
+++ b/configurations/nixos/defiant/configuration.nix
@@ -343,18 +343,17 @@
     };
 
     crab-hole = {
-      enable = false;
+      enable = true;
       port = 8085;
       openFirewall = true;
       show_doc = true;
       downstreams = {
-        host = {
+        loopback = {
           enable = true;
           openFirewall = true;
         };
       };
       upstreams.cloudFlare.enable = true;
-      blocklists.ad_malware.enable = true;
     };
 
     qbittorrent = {
diff --git a/modules/nixos-modules/server/crab-hole/crab-hole.nix b/modules/nixos-modules/server/crab-hole/crab-hole.nix
index d76323a..58ff660 100644
--- a/modules/nixos-modules/server/crab-hole/crab-hole.nix
+++ b/modules/nixos-modules/server/crab-hole/crab-hole.nix
@@ -27,19 +27,9 @@ in {
     show_doc = lib.mkEnableOption "OpenAPI documentation (loads content from third party websites)";
 
     downstreams = {
-      host = {
-        enable = lib.mkEnableOption "host downstream DNS server accessible from network on all interfaces";
-        port = lib.mkOption {
-          type = lib.types.port;
-          default = 53;
-          description = "Port for the host downstream DNS server to listen on.";
-        };
-        openFirewall = lib.mkEnableOption "automatic port forwarding for the host downstream";
-        disableSystemdResolved = lib.mkOption {
-          type = lib.types.bool;
-          default = true;
-          description = "Whether to automatically disable systemd-resolved when using port 53. Set to false if you want to handle the conflict manually.";
-        };
+      loopback = {
+        enable = lib.mkEnableOption "loopback downstream DNS server on localhost:53";
+        openFirewall = lib.mkEnableOption "automatic port forwarding for the loopback downstream";
       };
     };
 
@@ -89,44 +79,9 @@ in {
       default = [];
       description = "List of additional upstream DNS server configurations.";
     };
-
-    blocklists = {
-      ad_malware = {
-        enable = lib.mkEnableOption "Host file for blocking ads and malware";
-        url = lib.mkOption {
-          type = lib.types.str;
-          default = "http://sbc.io/hosts/hosts";
-          description = "URL of the ad and malware blocklist host file";
-        };
-      };
-    };
-
-    extraBlocklists = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [];
-      description = "Additional blocklist URLs to be added to the configuration";
-    };
   };
 
   config = lib.mkIf cfg.enable {
-    # Assertions for proper configuration
-    assertions = [
-      {
-        assertion = !(cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && config.services.resolved.enable && cfg.downstreams.host.disableSystemdResolved);
-        message = "crab-hole host downstream cannot use port 53 while systemd-resolved is enabled. Either disable systemd-resolved or use a different port.";
-      }
-      {
-        assertion = !(cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && !cfg.downstreams.host.disableSystemdResolved && config.services.resolved.enable);
-        message = "crab-hole host downstream is configured to use port 53 but systemd-resolved is still enabled and disableSystemdResolved is false. Set disableSystemdResolved = true or manually disable systemd-resolved.";
-      }
-    ];
-
-    # Automatically disable systemd-resolved if using port 53
-    services.resolved.enable = lib.mkIf (cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && cfg.downstreams.host.disableSystemdResolved) (lib.mkForce false);
-
-    # Configure DNS nameservers when disabling systemd-resolved
-    networking.nameservers = lib.mkIf (cfg.downstreams.host.enable && cfg.downstreams.host.port == 53 && cfg.downstreams.host.disableSystemdResolved) (lib.mkDefault ["127.0.0.1" "1.1.1.1" "8.8.8.8"]);
-
     services.crab-hole.settings = lib.mkMerge [
       {
         api = {
@@ -136,17 +91,13 @@ in {
         };
         downstream = cfg.extraDownstreams;
         upstream.name_servers = cfg.extraUpstreams;
-        blocklist.lists = cfg.extraBlocklists;
       }
-      (lib.mkIf cfg.blocklists.ad_malware.enable {
-        blocklist.lists = [cfg.blocklists.ad_malware.url];
-      })
-      (lib.mkIf cfg.downstreams.host.enable {
+      (lib.mkIf cfg.downstreams.loopback.enable {
         downstream = [
           {
             protocol = "udp";
-            listen = "0.0.0.0";
-            port = cfg.downstreams.host.port;
+            listen = "localhost";
+            port = 53;
           }
         ];
       })
@@ -185,8 +136,8 @@ in {
       (lib.mkIf cfg.openFirewall {
         allowedTCPPorts = [cfg.port];
       })
-      (lib.mkIf (cfg.downstreams.host.enable && cfg.downstreams.host.openFirewall) {
-        allowedUDPPorts = [cfg.downstreams.host.port];
+      (lib.mkIf (cfg.downstreams.loopback.enable && cfg.downstreams.loopback.openFirewall) {
+        allowedUDPPorts = [53];
       })
     ];
   };
diff --git a/modules/nixos-modules/server/crab-hole/impermanence.nix b/modules/nixos-modules/server/crab-hole/impermanence.nix
index 8e1182c..455e593 100644
--- a/modules/nixos-modules/server/crab-hole/impermanence.nix
+++ b/modules/nixos-modules/server/crab-hole/impermanence.nix
@@ -5,7 +5,7 @@
 }: let
   workingDirectory = "/var/lib/private/crab-hole";
 in {
-  config = lib.mkIf (config.services.crab-hole.enable && config.host.impermanence.enable) {
+  config = lib.mkIf (config.services.immich.enable && config.host.impermanence.enable) {
     assertions = [
       {
         assertion =