--- a/templates/dnsmasq/dnsmasq.conf.j2	Fri Feb 16 20:10:20 2024 -0800
+++ b/templates/dnsmasq/dnsmasq.conf.j2	Sun Mar 03 21:01:49 2024 -0800
@@ -59,4 +59,7 @@
 {% if net == '10.2-filtered' %}
 # written by net_routes/dns_blocker.py
 addn-hosts=/opt/dnsmasq/10.2-filtered/dynamic-blocking
+# but! users of this dns server can't even look up names 
+# like 'ditto' since those come from dhcp on the 10.2.0.3
+# (nonfiltered) dnsmasq instance
 {% endif %}

--- a/templates/resolved.conf.j2	Fri Feb 16 20:10:20 2024 -0800
+++ b/templates/resolved.conf.j2	Sun Mar 03 21:01:49 2024 -0800
@@ -11,7 +11,8 @@
 
 {% else %}
 [Resolve]
-DNS=10.2.0.3
+# worst case- you might get a better one over DHCP, which would get listed AFTER this one so it needs to be the only one.
+#DNS=10.2.0.4
 #FallbackDNS=
 Domains=bigasterisk.com
 #LLMNR=no

--- a/templates/wireguard/wg0.conf.j2	Fri Feb 16 20:10:20 2024 -0800
+++ b/templates/wireguard/wg0.conf.j2	Sun Mar 03 21:01:49 2024 -0800
@@ -25,5 +25,6 @@
     {{ peer_block('prime',       '10.5.0.0/24', 'public.bigasterisk.com:1195', 50) }}
     {# {{ peer_block('ditto',        '10.5.0.0/24', 'ditto:1195', 50) }} #}
 {% else %}
-    {{ peer_block('ditto',        '10.5.0.0/24', 'ditto:1195', 50) }}
+# note that hosts on filtered dns cannot currently look up the name 'ditto'
+    {{ peer_block('ditto',        '10.5.0.0/24', '10.2.0.133:1195', 50) }}
 {% endif %}

--- a/wireguard.py	Fri Feb 16 20:10:20 2024 -0800
+++ b/wireguard.py	Sun Mar 03 21:01:49 2024 -0800
@@ -67,7 +67,7 @@
     files.template(src='templates/wireguard/wg.service.j2',
                    dest=f'/etc/systemd/system/{svc}',
                    wireguard_interface=wireguard_interface)
-    systemd.service(service=f'{svc}', enabled=True, restarted=True, daemon_reload=True)
+    systemd.service(service=svc, enabled=True, restarted=True, daemon_reload=True)
 
     systemd.service(service=svc, daemon_reload=True, restarted=True, enabled=True)