Commit graph

8 commits

Author SHA1 Message Date
sjat
29b4d8fea5 runbook: swap flossfw wg1 peer public key on operator onboarding
One-command vault edit (replace flossfw.public_key) + wireguard-server
redeploy + verify handshake, for when the TaPPaaS operator sends their
WireGuard public key.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 13:57:53 +02:00
sjat
8a5966e367 plan: TaPPaaS-side publishing (sendable, self-contained)
Standalone plan for the TaPPaaS operator's Claude Code: WireGuard client
(peer 10.13.0.9, split-tunnel), Caddy plain-HTTP backend on 10.13.0.9:80,
firewall lock to 10.13.0.1, internal split-horizon DNS. Bakes in the
verified VPS-side contract (hub endpoint/pubkey, preserved Host, *.tappaas
wildcard, public DNS) and the key-exchange handshake. Flags the internal-TLS
decision (internal CA vs Gandi DNS-01 vs no internal TLS).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 13:47:38 +02:00
sjat
2e3f38cb3a plan: TaPPaaS VPS-side publishing implementation
Bite-sized tasks for the AnsibleBaobabV4 changes: flossfw wg1 peer +
keypair, *.tappaas wildcard cert, catch-all delegate route, public DNS.
VPS-side deliverable = valid-TLS 502; end-to-end gated on TaPPaaS-side plan.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 10:33:10 +02:00
sjat
41d3b4074d design: route TaPPaaS web services through the VPS
Split-horizon DNS + public exposure under *.tappaas.makerfloss.eu,
reusing the proven mf01 publishing pattern (new wg1 peer, TLS terminates
at VPS, plain HTTP over wg1 to TaPPaaS Caddy). TaPPaaS-side config repo
left as an open item.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 10:00:29 +02:00
sjat
f11e6e12a4 docs: runbook for publishing services on mf01
How to publish HTTP services as <svc>.mf01.makerfloss.eu (VPS-terminated
TLS, wg1 inner hop, mf01 internal Traefik). Built + verified 2026-06-09.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 18:02:09 +02:00
sjat
ade2dafee7 access: fisi enrolled in netbird (on-demand), record overlay facts
- fisi peer 100.99.61.26, service kept stopped+disabled
- documented on-demand bring-up/tear-down (no key needed; cached enrollment)
- overlay is 100.99.0.0/16; mf04 = 100.99.133.190
- note on policy 0/0-peers gotcha + re-enroll-with-key fallback

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 13:39:34 +02:00
sjat
97dabfd928 network-map: resolve makerspace addressing from on-site checks
- data ports give 10.2.30.0/24 (sjat got .227), gw 10.2.30.1
- 10.2.30.0/24 and 10.0.0.0/24 inter-route via makerspace router
- note mf04 IP drift: actual 10.0.0.183, host_vars says .184

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 13:32:36 +02:00
sjat
9ff12700ae Initial troubleshooting workspace: access, network map, runbooks
Scaffold for troubleshooting MakerFLOSS hosts at the makerspace.
Reference + thin runbooks model — authoritative data stays in the
source repos (AnsibleBaobabV4, MakerFLOSS_Mikrotik, MakerFLOSS).

- access.md: reach paths for mamba-on-LAN and fisi-tunneling-in
  (netbird on-demand, VPS bastion, ProxyJump via kuku->mamba),
  with the isolation rule.
- network-map.md: subnet pointers + open question on makerspace
  addressing (10.2.30/172.17.3/10.0.0).
- runbooks/switch-crs310.md: CRS310 connectivity + lockout recovery.
- incidents/: dated log scaffold.
- CLAUDE.md: operating rules for this repo.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 13:24:26 +02:00