access: fisi enrolled in netbird (on-demand), record overlay facts
- fisi peer 100.99.61.26, service kept stopped+disabled - documented on-demand bring-up/tear-down (no key needed; cached enrollment) - overlay is 100.99.0.0/16; mf04 = 100.99.133.190 - note on policy 0/0-peers gotcha + re-enroll-with-key fallback Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
97dabfd928
commit
ade2dafee7
2 changed files with 21 additions and 18 deletions
37
access.md
37
access.md
|
|
@ -53,30 +53,33 @@ apart — see the rule box below).
|
|||
|
||||
### B1. Netbird overlay — *on-demand only* (primary)
|
||||
|
||||
fisi is to be enrolled as a peer on the self-hosted Netbird control plane
|
||||
(`nb.makerfloss.eu`), but the tunnel is brought **up only when needed and torn
|
||||
down after**. This reaches other Netbird peers (mf04, mamba) on the
|
||||
`100.92.0.0/16` overlay.
|
||||
**fisi is enrolled** (2026-06-09) as peer `fisi-61-26.netbird.selfhosted` =
|
||||
`100.99.61.26` on the self-hosted control plane `nb.makerfloss.eu`. The overlay
|
||||
is the `100.99.0.0/16` net; mf04 is `100.99.133.190`. The Netbird service on
|
||||
fisi is kept **stopped + disabled** — no standing tunnel.
|
||||
|
||||
One-time enrollment (needs a setup key from the `nb.makerfloss.eu` dashboard):
|
||||
Per-session use (no setup key needed — enrollment is cached):
|
||||
|
||||
```bash
|
||||
# install netbird (Debian) — see netbirdio docs / baobab.netbird_client role
|
||||
netbird up --setup-key <KEY> --management-url https://nb.makerfloss.eu
|
||||
netbird status # confirm peers Connected
|
||||
sudo systemctl start netbird # service is disabled by default
|
||||
sudo netbird up # reconnect to the overlay
|
||||
sudo netbird status # confirm Management/Signal Connected, peers up
|
||||
ssh -p 7576 sjat@100.99.133.190 # e.g. mf04 directly over the overlay
|
||||
|
||||
# TEAR DOWN when done — leave nothing standing:
|
||||
sudo netbird down
|
||||
sudo systemctl stop netbird
|
||||
```
|
||||
|
||||
Per-session use:
|
||||
|
||||
```bash
|
||||
netbird up # bring the overlay up for this session
|
||||
# ... do the work, ssh to peer's 100.x address ...
|
||||
netbird down # TEAR DOWN when done — do not leave it up
|
||||
```
|
||||
If a peer shows but you can't reach it (`Peers count: 0/0` / 0 connected), the
|
||||
**Netbird access policy** isn't linking fisi's group to that peer's group —
|
||||
fix in the `nb.makerfloss.eu` dashboard (default policy is "all peers reach
|
||||
all"). Re-enrollment (lost config) needs a fresh setup key from the dashboard:
|
||||
`sudo netbird up --setup-key <KEY> --management-url https://nb.makerfloss.eu`.
|
||||
|
||||
> **Why on-demand:** sjat's explicit constraint — nothing from the makerspace
|
||||
> should be able to bleed into fisi/the homelab. Netbird stays **down by
|
||||
> default** on fisi; it is not a standing tunnel.
|
||||
> should be able to bleed into fisi/the homelab. Netbird stays **stopped +
|
||||
> disabled** on fisi; it is not a standing tunnel. See §C.
|
||||
|
||||
### B2. Via the makerfloss VPS bastion (no tunnel on fisi)
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ links below. Confirm live values before acting.
|
|||
| `172.17.3.0/24` | OrangeMakers LAN — `makerfloss1` at `.51`. | `AnsibleBaobabV4/host_vars/makerfloss1.yml` |
|
||||
| `10.0.0.0/24` | Makerspace LAN — `mf04` at `.184`. | `AnsibleBaobabV4/host_vars/mf04.yml` |
|
||||
| `10.13.0.0/24` | **makerfloss WireGuard plane (`wg1`)**. Hub `10.13.0.1` (VPS), `makerfloss1` `.2`, `mf04` `.3`, `sjat-roaming` `.5`. UDP `:51820`. | `AnsibleBaobabV4/host_vars/makerfloss.yml`, `specs/2026-05-12-makerfloss-wireguard-design.md` |
|
||||
| `100.92.0.0/16` | **Netbird overlay** (`wt0`), control plane `nb.makerfloss.eu`. | `specs/2026-05-27-makerspace-vpn-design.md` |
|
||||
| `100.99.0.0/16` | **Netbird overlay** (`wt0`), control plane `nb.makerfloss.eu`. Peers: mf04 `100.99.133.190`, fisi `100.99.61.26` (on-demand, normally down). | `specs/2026-05-27-makerspace-vpn-design.md` |
|
||||
| `10.8.0.0/24` | baobab (home) WireGuard plane. Hub **kuku** `10.8.0.1` (UDP `:51194`); mamba `10.8.0.4`. | `AnsibleBaobabV4` |
|
||||
| `10.20.10.0/24` | homelab LAN — **fisi** `.17`, kuku `.118`, papa `.11`. | `AnsibleBaobabV4` |
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue