MakerFLOSS_Troubleshooting/access.md
sjat ade2dafee7 access: fisi enrolled in netbird (on-demand), record overlay facts
- fisi peer 100.99.61.26, service kept stopped+disabled
- documented on-demand bring-up/tear-down (no key needed; cached enrollment)
- overlay is 100.99.0.0/16; mf04 = 100.99.133.190
- note on policy 0/0-peers gotcha + re-enroll-with-key fallback

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 13:39:34 +02:00

7 KiB
Raw Permalink Blame History

Access — reaching MakerFLOSS / makerspace hosts

How to get a shell on the hosts we troubleshoot, from each place you might be working. Read the section that matches your situation.

There are two actors:

  • You (sjat) — at the makerspace with mamba (laptop), or elsewhere.
  • Claude — lives on fisi (homelab) and must tunnel in to help at the makerspace.

The hosts and where they live

Host Address SSH Where it sits Notes
makerfloss VPS 88.99.32.236 / makerfloss.eu :7576 Public (Hetzner) Public entrypoint + bastion. Forgejo on :7577. WG wg1 hub 10.13.0.1. Netbird control plane nb.makerfloss.eu.
makerfloss1 172.17.3.51 :7576 Makerspace LAN Local Docker/dev host. wg1 peer 10.13.0.2 (full-tunnel).
mf04 10.0.0.184 :7576 Makerspace LAN Testmachine. wg1 peer 10.13.0.3 (split-tunnel). Netbird peer.
crs310-maker (switch) mgmt 192.168.88.1 :22 Makerspace, port ether8 only Mgmt VLAN 99, isolated. Data VLAN 30 = 10.2.30.0/24. See runbooks/switch-crs310.md.
fisi (home) 10.20.10.17 :7576 Homelab Where Claude runs. Behind OPNsense; baobab WG hub is kuku (10.8.0.1, UDP 51194).
mamba (laptop) LAN-dependent :7576 Roams Baobab WG peer 10.8.0.4; makerfloss wg1 roaming peer 10.13.0.5; Netbird peer.

The makerspace addressing is not fully pinned — see the open question in network-map.md. Confirm the host's current IP before relying on the table.


A. You're at the makerspace with mamba (on the LAN)

Easiest case — mamba is directly on the makerspace network.

  • The switch (mgmt): plug mamba into ether8 (mgmt VLAN 99). You get a DHCP lease in 192.168.88.10254; switch is 192.168.88.1 (SSH, and web UI http://192.168.88.1). A pinned NetworkManager profile crs310-bench / static 192.168.88.2 is documented in the Mikrotik repo for this.
  • The switch (data ports ether27): you land on data VLAN 30 (10.2.30.0/24, gateway .1) — normal user network, no switch mgmt here.
  • makerfloss1 / mf04: SSH directly to their LAN IPs (172.17.3.51, 10.0.0.184) on :7576.

For Ansible against the switch from mamba, run from the MakerFLOSS_Mikrotik repo with mamba on ether8.


B. Claude tunneling in from fisi (no laptop at the makerspace)

fisi has no direct route to the makerspace LAN. Pick one path. Ordered by preference given the isolation requirement (keep makerspace and homelab apart — see the rule box below).

B1. Netbird overlay — on-demand only (primary)

fisi is enrolled (2026-06-09) as peer fisi-61-26.netbird.selfhosted = 100.99.61.26 on the self-hosted control plane nb.makerfloss.eu. The overlay is the 100.99.0.0/16 net; mf04 is 100.99.133.190. The Netbird service on fisi is kept stopped + disabled — no standing tunnel.

Per-session use (no setup key needed — enrollment is cached):

sudo systemctl start netbird     # service is disabled by default
sudo netbird up                  # reconnect to the overlay
sudo netbird status              # confirm Management/Signal Connected, peers up
ssh -p 7576 sjat@100.99.133.190  # e.g. mf04 directly over the overlay

# TEAR DOWN when done — leave nothing standing:
sudo netbird down
sudo systemctl stop netbird

If a peer shows but you can't reach it (Peers count: 0/0 / 0 connected), the Netbird access policy isn't linking fisi's group to that peer's group — fix in the nb.makerfloss.eu dashboard (default policy is "all peers reach all"). Re-enrollment (lost config) needs a fresh setup key from the dashboard: sudo netbird up --setup-key <KEY> --management-url https://nb.makerfloss.eu.

Why on-demand: sjat's explicit constraint — nothing from the makerspace should be able to bleed into fisi/the homelab. Netbird stays stopped + disabled on fisi; it is not a standing tunnel. See §C.

B2. Via the makerfloss VPS bastion (no tunnel on fisi)

The cleanest isolation-preserving path: fisi only ever talks to the public VPS, which hops onward over its own wg1 tunnel. fisi itself joins no makerspace network.

# Land on the VPS:
ssh -p 7576 sjat@makerfloss.eu

# From the VPS, reach wg1 peers on the makerfloss plane:
ssh -p 7576 sjat@10.13.0.2     # makerfloss1
ssh -p 7576 sjat@10.13.0.3     # mf04

Or, if/when the per-machine SSH DNAT from the VPN design is in place, jump straight through the VPS with a single hop (ports :7578/:7579 → testmachine :7576). Confirm these DNAT rules exist before relying on them.

ssh -J sjat@makerfloss.eu:7576 -p 7576 sjat@10.13.0.3   # fisi → VPS → mf04

This path does not require mamba to be present.

B3. ProxyJump via kuku → mamba (only when mamba is at the makerspace)

This is the chain the AnsibleBaobabV4 inventory already uses for mf04:

fisi → kuku (baobab WG hub) → mamba (WG peer 10.8.0.4, on the makerspace LAN) → mf04
ssh -o ProxyJump="kuku,sjat@10.8.0.4:7576" -p 7576 sjat@10.0.0.184   # mf04

In AnsibleBaobabV4/host_vars/mf04.yml: ansible_ssh_common_args: '-o ProxyJump="kuku,sjat@10.8.0.4:7576"'.

Constraint: only works while mamba is physically at the makerspace, online, and roaming on the baobab WG plane. Breaks the moment mamba leaves.

Choosing between B1/B2/B3

Need Use
Reach mf04/mamba over the overlay, mamba may be absent B1 (netbird, on-demand)
Reach makerfloss1 / mf04 / VPS-side services, max isolation, no tunnel on fisi B2 (VPS bastion)
mamba is at the makerspace and you want the existing Ansible path B3 (ProxyJump)
The switch mgmt plane (192.168.88.1) None of these directly — mgmt VLAN 99 is reachable only from ether8. Need a host on ether8 (mamba, or a testmachine patched in) to forward through. See switch runbook.

C. Isolation rule (important)

Keep the makerspace and the homelab apart. fisi must not hold a standing tunnel into the makerspace. Bring Netbird up only for the task, down immediately after. Prefer the VPS-bastion path (B2) when it suffices, since it puts no makerspace network on fisi at all. The concern is preventing any compromise at the makerspace from reaching fisi/the homelab.


D. Secrets & credentials (where they live — not stored here)

  • Ansible vault (baobab): ~/.ansible/vault-keys/prod.txt; secrets in AnsibleBaobabV4/group_vars/all/90-secrets.vault.yml (ansible-vault edit ... --vault-id prod@). WG/Netbird/service secrets are vault_* keys there.
  • Ansible vault (switch): identity makerfloss, ~/.ansible/vault-keys/makerfloss.txt; switch admin password in MakerFLOSS_Mikrotik/group_vars/mikrotik.vault.yml.
  • SSH: operator key ~/.ssh/id_ed25519; project-wide SSH port is 7576 (switch SSH is on :22, Forgejo git on :7577).

Never commit secrets to this repo.