rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

router: phase-2 cleanup + camera DHCP reservation

Browse source 
- trustedLegacyCidrs now empty; eno1 is strictly WAN
- AdGuard rewrite retargets nordhammer.it → 10.0.0.1 (the new router IP)
- dnsmasq pins the bedroom camera (f0:a7:31:6c:50:4b) to 10.0.0.39

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-04-24 10:52:11 +01:00
parent 5426e3847b
commit 0c937b8601
2 changed files with 11 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

8
services/adguard.nix
View file

@ -35,11 +35,11 @@
{ enabled = true; id = 3; name = "OISD Big"; { enabled = true; id = 3; name = "OISD Big";
url = "https://big.oisd.nl/"; } url = "https://big.oisd.nl/"; }
]; ];
# Resolve our own hostnames to the mediaserver's LAN IP so LAN # Resolve our own hostnames to the router's LAN IP so LAN clients
# clients bypass eero hairpin NAT. Update to 10.0.0.1 in phase 2. # bypass any NAT reflection.
filtering.rewrites = [ filtering.rewrites = [
{ domain = "nordhammer.it"; answer = "192.168.4.25"; } { domain = "nordhammer.it"; answer = "10.0.0.1"; }
{ domain = "*.nordhammer.it"; answer = "192.168.4.25"; } { domain = "*.nordhammer.it"; answer = "10.0.0.1"; }
]; ];
}; };
}; };

13
services/router.nix
View file

@ -17,12 +17,9 @@ let
portsData = builtins.fromTOML (builtins.readFile ../ports.toml); portsData = builtins.fromTOML (builtins.readFile ../ports.toml);
destDefault = portsData.dest_default; destDefault = portsData.dest_default;
# Phase 1 transition: the mediaserver is still a DHCP client on the eero's # Phase-1 transition list; empty now that eero is in bridge mode and
# network (192.168.4.0/22), and existing clients reach it via eno1. Trust # eno1 is strictly the ISP-facing WAN.
# those subnets as input sources so SSH + AdGuard DNS keep working. trustedLegacyCidrs = [ ];
# After cutover to eero bridge mode (phase 2), set this to [] — eno1
# becomes strictly WAN-only.
trustedLegacyCidrs = [ "192.168.4.0/22" ];
legacyTrustRules = lib.concatMapStringsSep "\n " legacyTrustRules = lib.concatMapStringsSep "\n "
(cidr: ''iifname "eno1" ip saddr ${cidr} accept'') (cidr: ''iifname "eno1" ip saddr ${cidr} accept'')
@ -168,6 +165,10 @@ in
"option:router,10.0.0.1" "option:router,10.0.0.1"
"option:dns-server,10.0.0.1" "option:dns-server,10.0.0.1"
]; ];
# Static reservations — format: "MAC,label,IP"
dhcp-host = [
"f0:a7:31:6c:50:4b,camera-bedroom,10.0.0.39"
];
# Helpful: log leases to the journal # Helpful: log leases to the journal
log-dhcp = true; log-dhcp = true;
}; };