diff --git a/modules/nixos/services/caddy.nix b/modules/nixos/services/caddy.nix
index cde7cf2..36c8a46 100644
--- a/modules/nixos/services/caddy.nix
+++ b/modules/nixos/services/caddy.nix
@@ -46,7 +46,7 @@
 
     # Force Caddy to 403 if not coming from allowlisted source
     caddy.cidrAllowlist = [ "127.0.0.1/32" ];
-    caddy.routes = [
+    caddy.routes = lib.mkBefore [
       {
         match = [ { not = [ { remote_ip.ranges = config.caddy.cidrAllowlist; } ]; } ];
         handle = [