From 579840697799b8b7beba61d6a5c362022a1924d5 Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Mon, 19 Aug 2024 00:04:33 +0000
Subject: [PATCH] add denylist to top of caddy routes

---
 modules/nixos/services/caddy.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/services/caddy.nix b/modules/nixos/services/caddy.nix
index cde7cf2..36c8a46 100644
--- a/modules/nixos/services/caddy.nix
+++ b/modules/nixos/services/caddy.nix
@@ -46,7 +46,7 @@
 
     # Force Caddy to 403 if not coming from allowlisted source
     caddy.cidrAllowlist = [ "127.0.0.1/32" ];
-    caddy.routes = [
+    caddy.routes = lib.mkBefore [
       {
         match = [ { not = [ { remote_ip.ranges = config.caddy.cidrAllowlist; } ]; } ];
         handle = [