router: phase-2 cleanup + camera DHCP reservation

- trustedLegacyCidrs now empty; eno1 is strictly WAN - AdGuard rewrite retargets nordhammer.it → 10.0.0.1 (the new router IP) - dnsmasq pins the bedroom camera (f0:a7:31:6c:50:4b) to 10.0.0.39 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 10:52:11 +01:00 · 2026-04-24 10:52:11 +01:00 · 0c937b8601
commit 0c937b8601
parent 5426e3847b
2 changed files with 11 additions and 10 deletions
--- a/services/adguard.nix
+++ b/services/adguard.nix
@ -35,11 +35,11 @@
          { enabled = true; id = 3; name = "OISD Big";
            url = "https://big.oisd.nl/"; }
        ];
-        # Resolve our own hostnames to the mediaserver's LAN IP so LAN
-        # clients bypass eero hairpin NAT. Update to 10.0.0.1 in phase 2.
+        # Resolve our own hostnames to the router's LAN IP so LAN clients
+        # bypass any NAT reflection.
        filtering.rewrites = [
-          { domain = "nordhammer.it";   answer = "192.168.4.25"; }
-          { domain = "*.nordhammer.it"; answer = "192.168.4.25"; }
+          { domain = "nordhammer.it";   answer = "10.0.0.1"; }
+          { domain = "*.nordhammer.it"; answer = "10.0.0.1"; }
        ];
      };
    };
--- a/services/router.nix
+++ b/services/router.nix
@ -17,12 +17,9 @@ let
  portsData = builtins.fromTOML (builtins.readFile ../ports.toml);
  destDefault = portsData.dest_default;

-  # Phase 1 transition: the mediaserver is still a DHCP client on the eero's
-  # network (192.168.4.0/22), and existing clients reach it via eno1. Trust
-  # those subnets as input sources so SSH + AdGuard DNS keep working.
-  # After cutover to eero bridge mode (phase 2), set this to [] — eno1
-  # becomes strictly WAN-only.
-  trustedLegacyCidrs = [ "192.168.4.0/22" ];
+  # Phase-1 transition list; empty now that eero is in bridge mode and
+  # eno1 is strictly the ISP-facing WAN.
+  trustedLegacyCidrs = [ ];

  legacyTrustRules = lib.concatMapStringsSep "\n            "
    (cidr: ''iifname "eno1" ip saddr ${cidr} accept'')
@ -168,6 +165,10 @@ in
          "option:router,10.0.0.1"
          "option:dns-server,10.0.0.1"
        ];
+        # Static reservations — format: "MAC,label,IP"
+        dhcp-host = [
+          "f0:a7:31:6c:50:4b,camera-bedroom,10.0.0.39"
+        ];
        # Helpful: log leases to the journal
        log-dhcp = true;
      };