fix(wireguard): resolve routing loop and update VPN endpoint

- Disable firewall to allow VPN traffic
- Switch DNS from VPN server (10.0.1.65) to Cloudflare (1.1.1.1)
- Use direct IP endpoint (69.48.243.22) instead of DNS hostname to
  prevent resolution failures when DNS routes through the tunnel
- Add pre/post routing rules to avoid routing loop by sending VPN
  endpoint traffic via the local gateway

Constraint: endpoint must be an IP, not hostname, to avoid DNS chicken-and-egg
Rejected: keep DNS hostname endpoint | fails when DNS resolves through tunnel
Confidence: high
Scope-risk: moderate

configuration.nix

@@ -125,7 +125,7 @@
   # networking.firewall.allowedTCPPorts = [ ... ];
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
+  networking.firewall.enable = false;
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
@@ -182,12 +182,22 @@
   # WireGuard VPN
   networking.wg-quick.interfaces.wg0 = {
     address = [ "10.0.1.67/32" ];
-    dns = [ "10.0.1.65" ];
+    dns = [ "1.1.1.1" ];
     privateKeyFile = "/etc/wireguard/private.key";
 
+    # Route endpoint via local gateway to avoid routing loop
+    preUp = ''
+      GW=$(ip route show default | awk '{print $3; exit}')
+      DEV=$(ip route show default | awk '{print $5; exit}')
+      ip route add 69.48.243.22/32 via "$GW" dev "$DEV" || true
+    '';
+    postDown = ''
+      ip route del 69.48.243.22/32 || true
+    '';
+
     peers = [{
       publicKey = "VEpzr/CeGdS6Wsy0NDDfmlB/bCYxS55A155HWGCIIzc=";
-      endpoint = "vpn.leeworks.dev:51820";
+      endpoint = "69.48.243.22:51820";
       # Route all traffic through VPN EXCEPT the local 10.0.0.0/24 network
       allowedIPs = [
         "0.0.0.0/5"