From 0c937b8601e0e2afcc94ae66306b001f31a3f62a Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Fri, 24 Apr 2026 10:52:11 +0100
Subject: [PATCH] router: phase-2 cleanup + camera DHCP reservation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- trustedLegacyCidrs now empty; eno1 is strictly WAN
- AdGuard rewrite retargets nordhammer.it → 10.0.0.1 (the new router IP)
- dnsmasq pins the bedroom camera (f0:a7:31:6c:50:4b) to 10.0.0.39

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 services/adguard.nix |  8 ++++----
 services/router.nix  | 13 +++++++------
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/services/adguard.nix b/services/adguard.nix
index 471a78a..df36e6f 100644
--- a/services/adguard.nix
+++ b/services/adguard.nix
@@ -35,11 +35,11 @@
           { enabled = true; id = 3; name = "OISD Big";
             url = "https://big.oisd.nl/"; }
         ];
-        # Resolve our own hostnames to the mediaserver's LAN IP so LAN
-        # clients bypass eero hairpin NAT. Update to 10.0.0.1 in phase 2.
+        # Resolve our own hostnames to the router's LAN IP so LAN clients
+        # bypass any NAT reflection.
         filtering.rewrites = [
-          { domain = "nordhammer.it";   answer = "192.168.4.25"; }
-          { domain = "*.nordhammer.it"; answer = "192.168.4.25"; }
+          { domain = "nordhammer.it";   answer = "10.0.0.1"; }
+          { domain = "*.nordhammer.it"; answer = "10.0.0.1"; }
         ];
       };
     };
diff --git a/services/router.nix b/services/router.nix
index f1e3449..cf480ef 100644
--- a/services/router.nix
+++ b/services/router.nix
@@ -17,12 +17,9 @@ let
   portsData = builtins.fromTOML (builtins.readFile ../ports.toml);
   destDefault = portsData.dest_default;
 
-  # Phase 1 transition: the mediaserver is still a DHCP client on the eero's
-  # network (192.168.4.0/22), and existing clients reach it via eno1. Trust
-  # those subnets as input sources so SSH + AdGuard DNS keep working.
-  # After cutover to eero bridge mode (phase 2), set this to [] — eno1
-  # becomes strictly WAN-only.
-  trustedLegacyCidrs = [ "192.168.4.0/22" ];
+  # Phase-1 transition list; empty now that eero is in bridge mode and
+  # eno1 is strictly the ISP-facing WAN.
+  trustedLegacyCidrs = [ ];
 
   legacyTrustRules = lib.concatMapStringsSep "\n            "
     (cidr: ''iifname "eno1" ip saddr ${cidr} accept'')
@@ -168,6 +165,10 @@ in
           "option:router,10.0.0.1"
           "option:dns-server,10.0.0.1"
         ];
+        # Static reservations — format: "MAC,label,IP"
+        dhcp-host = [
+          "f0:a7:31:6c:50:4b,camera-bedroom,10.0.0.39"
+        ];
         # Helpful: log leases to the journal
         log-dhcp = true;
       };