access: fisi enrolled in netbird (on-demand), record overlay facts

- fisi peer 100.99.61.26, service kept stopped+disabled
- documented on-demand bring-up/tear-down (no key needed; cached enrollment)
- overlay is 100.99.0.0/16; mf04 = 100.99.133.190
- note on policy 0/0-peers gotcha + re-enroll-with-key fallback

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-09 13:39:34 +02:00
parent 97dabfd928
commit ade2dafee7
2 changed files with 21 additions and 18 deletions

View file

@ -53,30 +53,33 @@ apart — see the rule box below).
### B1. Netbird overlay — *on-demand only* (primary) ### B1. Netbird overlay — *on-demand only* (primary)
fisi is to be enrolled as a peer on the self-hosted Netbird control plane **fisi is enrolled** (2026-06-09) as peer `fisi-61-26.netbird.selfhosted` =
(`nb.makerfloss.eu`), but the tunnel is brought **up only when needed and torn `100.99.61.26` on the self-hosted control plane `nb.makerfloss.eu`. The overlay
down after**. This reaches other Netbird peers (mf04, mamba) on the is the `100.99.0.0/16` net; mf04 is `100.99.133.190`. The Netbird service on
`100.92.0.0/16` overlay. fisi is kept **stopped + disabled** — no standing tunnel.
One-time enrollment (needs a setup key from the `nb.makerfloss.eu` dashboard): Per-session use (no setup key needed — enrollment is cached):
```bash ```bash
# install netbird (Debian) — see netbirdio docs / baobab.netbird_client role sudo systemctl start netbird # service is disabled by default
netbird up --setup-key <KEY> --management-url https://nb.makerfloss.eu sudo netbird up # reconnect to the overlay
netbird status # confirm peers Connected sudo netbird status # confirm Management/Signal Connected, peers up
ssh -p 7576 sjat@100.99.133.190 # e.g. mf04 directly over the overlay
# TEAR DOWN when done — leave nothing standing:
sudo netbird down
sudo systemctl stop netbird
``` ```
Per-session use: If a peer shows but you can't reach it (`Peers count: 0/0` / 0 connected), the
**Netbird access policy** isn't linking fisi's group to that peer's group —
```bash fix in the `nb.makerfloss.eu` dashboard (default policy is "all peers reach
netbird up # bring the overlay up for this session all"). Re-enrollment (lost config) needs a fresh setup key from the dashboard:
# ... do the work, ssh to peer's 100.x address ... `sudo netbird up --setup-key <KEY> --management-url https://nb.makerfloss.eu`.
netbird down # TEAR DOWN when done — do not leave it up
```
> **Why on-demand:** sjat's explicit constraint — nothing from the makerspace > **Why on-demand:** sjat's explicit constraint — nothing from the makerspace
> should be able to bleed into fisi/the homelab. Netbird stays **down by > should be able to bleed into fisi/the homelab. Netbird stays **stopped +
> default** on fisi; it is not a standing tunnel. > disabled** on fisi; it is not a standing tunnel. See §C.
### B2. Via the makerfloss VPS bastion (no tunnel on fisi) ### B2. Via the makerfloss VPS bastion (no tunnel on fisi)

View file

@ -12,7 +12,7 @@ links below. Confirm live values before acting.
| `172.17.3.0/24` | OrangeMakers LAN — `makerfloss1` at `.51`. | `AnsibleBaobabV4/host_vars/makerfloss1.yml` | | `172.17.3.0/24` | OrangeMakers LAN — `makerfloss1` at `.51`. | `AnsibleBaobabV4/host_vars/makerfloss1.yml` |
| `10.0.0.0/24` | Makerspace LAN — `mf04` at `.184`. | `AnsibleBaobabV4/host_vars/mf04.yml` | | `10.0.0.0/24` | Makerspace LAN — `mf04` at `.184`. | `AnsibleBaobabV4/host_vars/mf04.yml` |
| `10.13.0.0/24` | **makerfloss WireGuard plane (`wg1`)**. Hub `10.13.0.1` (VPS), `makerfloss1` `.2`, `mf04` `.3`, `sjat-roaming` `.5`. UDP `:51820`. | `AnsibleBaobabV4/host_vars/makerfloss.yml`, `specs/2026-05-12-makerfloss-wireguard-design.md` | | `10.13.0.0/24` | **makerfloss WireGuard plane (`wg1`)**. Hub `10.13.0.1` (VPS), `makerfloss1` `.2`, `mf04` `.3`, `sjat-roaming` `.5`. UDP `:51820`. | `AnsibleBaobabV4/host_vars/makerfloss.yml`, `specs/2026-05-12-makerfloss-wireguard-design.md` |
| `100.92.0.0/16` | **Netbird overlay** (`wt0`), control plane `nb.makerfloss.eu`. | `specs/2026-05-27-makerspace-vpn-design.md` | | `100.99.0.0/16` | **Netbird overlay** (`wt0`), control plane `nb.makerfloss.eu`. Peers: mf04 `100.99.133.190`, fisi `100.99.61.26` (on-demand, normally down). | `specs/2026-05-27-makerspace-vpn-design.md` |
| `10.8.0.0/24` | baobab (home) WireGuard plane. Hub **kuku** `10.8.0.1` (UDP `:51194`); mamba `10.8.0.4`. | `AnsibleBaobabV4` | | `10.8.0.0/24` | baobab (home) WireGuard plane. Hub **kuku** `10.8.0.1` (UDP `:51194`); mamba `10.8.0.4`. | `AnsibleBaobabV4` |
| `10.20.10.0/24` | homelab LAN — **fisi** `.17`, kuku `.118`, papa `.11`. | `AnsibleBaobabV4` | | `10.20.10.0/24` | homelab LAN — **fisi** `.17`, kuku `.118`, papa `.11`. | `AnsibleBaobabV4` |