From 8b5111e9a1110a02a21115796f36f3a4cc7bcc36 Mon Sep 17 00:00:00 2001
From: 0xWheatyz <wyatt@leeworks.dev>
Date: Wed, 15 Apr 2026 19:12:34 -0400
Subject: [PATCH] fix(wireguard): move endpoint route to preUp/postDown hooks

postUp runs after wg-quick has already rerouted all traffic through
the tunnel, making external DNS unreachable. Use preUp to add the
host route before routing changes, and postDown to clean up after.
---
 configuration.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index 6719a58..e87acb0 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -180,13 +180,13 @@
     dns = [ "10.0.1.65" ];
     privateKeyFile = "/etc/wireguard/private.key";
 
-    postUp = ''
+    preUp = ''
       ENDPOINT_IP=$(${pkgs.dig}/bin/dig +short vpn.leeworks.dev @1.1.1.1 | head -1)
       GATEWAY=$(${pkgs.iproute2}/bin/ip route show default | ${pkgs.gawk}/bin/awk '{print $3}')
       DEV=$(${pkgs.iproute2}/bin/ip route show default | ${pkgs.gawk}/bin/awk '{print $5}')
       ${pkgs.iproute2}/bin/ip route add "$ENDPOINT_IP" via "$GATEWAY" dev "$DEV"
     '';
-    preDown = ''
+    postDown = ''
       ENDPOINT_IP=$(${pkgs.dig}/bin/dig +short vpn.leeworks.dev @1.1.1.1 | head -1)
       ${pkgs.iproute2}/bin/ip route del "$ENDPOINT_IP" || true
     '';