diff --git a/access.md b/access.md index 40a100f..162f322 100644 --- a/access.md +++ b/access.md @@ -53,30 +53,33 @@ apart — see the rule box below). ### B1. Netbird overlay — *on-demand only* (primary) -fisi is to be enrolled as a peer on the self-hosted Netbird control plane -(`nb.makerfloss.eu`), but the tunnel is brought **up only when needed and torn -down after**. This reaches other Netbird peers (mf04, mamba) on the -`100.92.0.0/16` overlay. +**fisi is enrolled** (2026-06-09) as peer `fisi-61-26.netbird.selfhosted` = +`100.99.61.26` on the self-hosted control plane `nb.makerfloss.eu`. The overlay +is the `100.99.0.0/16` net; mf04 is `100.99.133.190`. The Netbird service on +fisi is kept **stopped + disabled** — no standing tunnel. -One-time enrollment (needs a setup key from the `nb.makerfloss.eu` dashboard): +Per-session use (no setup key needed — enrollment is cached): ```bash -# install netbird (Debian) — see netbirdio docs / baobab.netbird_client role -netbird up --setup-key --management-url https://nb.makerfloss.eu -netbird status # confirm peers Connected +sudo systemctl start netbird # service is disabled by default +sudo netbird up # reconnect to the overlay +sudo netbird status # confirm Management/Signal Connected, peers up +ssh -p 7576 sjat@100.99.133.190 # e.g. mf04 directly over the overlay + +# TEAR DOWN when done — leave nothing standing: +sudo netbird down +sudo systemctl stop netbird ``` -Per-session use: - -```bash -netbird up # bring the overlay up for this session -# ... do the work, ssh to peer's 100.x address ... -netbird down # TEAR DOWN when done — do not leave it up -``` +If a peer shows but you can't reach it (`Peers count: 0/0` / 0 connected), the +**Netbird access policy** isn't linking fisi's group to that peer's group — +fix in the `nb.makerfloss.eu` dashboard (default policy is "all peers reach +all"). Re-enrollment (lost config) needs a fresh setup key from the dashboard: +`sudo netbird up --setup-key --management-url https://nb.makerfloss.eu`. > **Why on-demand:** sjat's explicit constraint — nothing from the makerspace -> should be able to bleed into fisi/the homelab. Netbird stays **down by -> default** on fisi; it is not a standing tunnel. +> should be able to bleed into fisi/the homelab. Netbird stays **stopped + +> disabled** on fisi; it is not a standing tunnel. See §C. ### B2. Via the makerfloss VPS bastion (no tunnel on fisi) diff --git a/network-map.md b/network-map.md index 53d5682..f944add 100644 --- a/network-map.md +++ b/network-map.md @@ -12,7 +12,7 @@ links below. Confirm live values before acting. | `172.17.3.0/24` | OrangeMakers LAN — `makerfloss1` at `.51`. | `AnsibleBaobabV4/host_vars/makerfloss1.yml` | | `10.0.0.0/24` | Makerspace LAN — `mf04` at `.184`. | `AnsibleBaobabV4/host_vars/mf04.yml` | | `10.13.0.0/24` | **makerfloss WireGuard plane (`wg1`)**. Hub `10.13.0.1` (VPS), `makerfloss1` `.2`, `mf04` `.3`, `sjat-roaming` `.5`. UDP `:51820`. | `AnsibleBaobabV4/host_vars/makerfloss.yml`, `specs/2026-05-12-makerfloss-wireguard-design.md` | -| `100.92.0.0/16` | **Netbird overlay** (`wt0`), control plane `nb.makerfloss.eu`. | `specs/2026-05-27-makerspace-vpn-design.md` | +| `100.99.0.0/16` | **Netbird overlay** (`wt0`), control plane `nb.makerfloss.eu`. Peers: mf04 `100.99.133.190`, fisi `100.99.61.26` (on-demand, normally down). | `specs/2026-05-27-makerspace-vpn-design.md` | | `10.8.0.0/24` | baobab (home) WireGuard plane. Hub **kuku** `10.8.0.1` (UDP `:51194`); mamba `10.8.0.4`. | `AnsibleBaobabV4` | | `10.20.10.0/24` | homelab LAN — **fisi** `.17`, kuku `.118`, papa `.11`. | `AnsibleBaobabV4` |