MakerFLOSS_Troubleshooting/access.md
sjat ade2dafee7 access: fisi enrolled in netbird (on-demand), record overlay facts
- fisi peer 100.99.61.26, service kept stopped+disabled
- documented on-demand bring-up/tear-down (no key needed; cached enrollment)
- overlay is 100.99.0.0/16; mf04 = 100.99.133.190
- note on policy 0/0-peers gotcha + re-enroll-with-key fallback

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 13:39:34 +02:00

160 lines
7 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Access — reaching MakerFLOSS / makerspace hosts
How to get a shell on the hosts we troubleshoot, from each place you might be
working. **Read the section that matches your situation.**
There are two actors:
- **You (sjat)** — at the makerspace with **mamba** (laptop), or elsewhere.
- **Claude** — lives on **fisi** (homelab) and must *tunnel in* to help at the
makerspace.
---
## The hosts and where they live
| Host | Address | SSH | Where it sits | Notes |
|------|---------|-----|---------------|-------|
| **makerfloss VPS** | `88.99.32.236` / `makerfloss.eu` | `:7576` | Public (Hetzner) | Public entrypoint + bastion. Forgejo on `:7577`. WG `wg1` hub `10.13.0.1`. Netbird control plane `nb.makerfloss.eu`. |
| **makerfloss1** | `172.17.3.51` | `:7576` | Makerspace LAN | Local Docker/dev host. `wg1` peer `10.13.0.2` (full-tunnel). |
| **mf04** | `10.0.0.184` | `:7576` | Makerspace LAN | Testmachine. `wg1` peer `10.13.0.3` (split-tunnel). Netbird peer. |
| **crs310-maker** (switch) | mgmt `192.168.88.1` | `:22` | Makerspace, port `ether8` only | Mgmt VLAN 99, isolated. Data VLAN 30 = `10.2.30.0/24`. See [runbooks/switch-crs310.md](runbooks/switch-crs310.md). |
| **fisi** (home) | `10.20.10.17` | `:7576` | Homelab | Where Claude runs. Behind OPNsense; baobab WG hub is **kuku** (`10.8.0.1`, UDP 51194). |
| **mamba** (laptop) | LAN-dependent | `:7576` | Roams | Baobab WG peer `10.8.0.4`; makerfloss `wg1` roaming peer `10.13.0.5`; Netbird peer. |
> The makerspace addressing is **not fully pinned** — see the open question in
> [network-map.md](network-map.md). Confirm the host's current IP before relying
> on the table.
---
## A. You're at the makerspace with mamba (on the LAN)
Easiest case — mamba is directly on the makerspace network.
- **The switch (mgmt):** plug mamba into **`ether8`** (mgmt VLAN 99). You get a
DHCP lease in `192.168.88.10254`; switch is `192.168.88.1` (SSH, and web UI
`http://192.168.88.1`). A pinned NetworkManager profile `crs310-bench` /
static `192.168.88.2` is documented in the Mikrotik repo for this.
- **The switch (data ports `ether27`):** you land on data VLAN 30
(`10.2.30.0/24`, gateway `.1`) — normal user network, *no* switch mgmt here.
- **makerfloss1 / mf04:** SSH directly to their LAN IPs (`172.17.3.51`,
`10.0.0.184`) on `:7576`.
For Ansible against the switch from mamba, run from the `MakerFLOSS_Mikrotik`
repo with mamba on `ether8`.
---
## B. Claude tunneling in from fisi (no laptop at the makerspace)
fisi has **no direct route** to the makerspace LAN. Pick one path. Ordered by
preference given the **isolation requirement** (keep makerspace and homelab
apart — see the rule box below).
### B1. Netbird overlay — *on-demand only* (primary)
**fisi is enrolled** (2026-06-09) as peer `fisi-61-26.netbird.selfhosted` =
`100.99.61.26` on the self-hosted control plane `nb.makerfloss.eu`. The overlay
is the `100.99.0.0/16` net; mf04 is `100.99.133.190`. The Netbird service on
fisi is kept **stopped + disabled** — no standing tunnel.
Per-session use (no setup key needed — enrollment is cached):
```bash
sudo systemctl start netbird # service is disabled by default
sudo netbird up # reconnect to the overlay
sudo netbird status # confirm Management/Signal Connected, peers up
ssh -p 7576 sjat@100.99.133.190 # e.g. mf04 directly over the overlay
# TEAR DOWN when done — leave nothing standing:
sudo netbird down
sudo systemctl stop netbird
```
If a peer shows but you can't reach it (`Peers count: 0/0` / 0 connected), the
**Netbird access policy** isn't linking fisi's group to that peer's group —
fix in the `nb.makerfloss.eu` dashboard (default policy is "all peers reach
all"). Re-enrollment (lost config) needs a fresh setup key from the dashboard:
`sudo netbird up --setup-key <KEY> --management-url https://nb.makerfloss.eu`.
> **Why on-demand:** sjat's explicit constraint — nothing from the makerspace
> should be able to bleed into fisi/the homelab. Netbird stays **stopped +
> disabled** on fisi; it is not a standing tunnel. See §C.
### B2. Via the makerfloss VPS bastion (no tunnel on fisi)
The cleanest isolation-preserving path: fisi only ever talks to the **public
VPS**, which hops onward over its own `wg1` tunnel. fisi itself joins no
makerspace network.
```bash
# Land on the VPS:
ssh -p 7576 sjat@makerfloss.eu
# From the VPS, reach wg1 peers on the makerfloss plane:
ssh -p 7576 sjat@10.13.0.2 # makerfloss1
ssh -p 7576 sjat@10.13.0.3 # mf04
```
Or, if/when the per-machine SSH DNAT from the VPN design is in place, jump
straight through the VPS with a single hop (ports `:7578`/`:7579` → testmachine
`:7576`). Confirm these DNAT rules exist before relying on them.
```bash
ssh -J sjat@makerfloss.eu:7576 -p 7576 sjat@10.13.0.3 # fisi → VPS → mf04
```
This path does **not** require mamba to be present.
### B3. ProxyJump via kuku → mamba (only when mamba is at the makerspace)
This is the chain the `AnsibleBaobabV4` inventory already uses for `mf04`:
```
fisi → kuku (baobab WG hub) → mamba (WG peer 10.8.0.4, on the makerspace LAN) → mf04
```
```bash
ssh -o ProxyJump="kuku,sjat@10.8.0.4:7576" -p 7576 sjat@10.0.0.184 # mf04
```
In `AnsibleBaobabV4/host_vars/mf04.yml`:
`ansible_ssh_common_args: '-o ProxyJump="kuku,sjat@10.8.0.4:7576"'`.
**Constraint:** only works while mamba is physically at the makerspace, online,
and roaming on the baobab WG plane. Breaks the moment mamba leaves.
### Choosing between B1/B2/B3
| Need | Use |
|------|-----|
| Reach mf04/mamba over the overlay, mamba may be absent | **B1** (netbird, on-demand) |
| Reach makerfloss1 / mf04 / VPS-side services, max isolation, no tunnel on fisi | **B2** (VPS bastion) |
| mamba is at the makerspace and you want the existing Ansible path | **B3** (ProxyJump) |
| The **switch** mgmt plane (`192.168.88.1`) | None of these directly — mgmt VLAN 99 is reachable only from `ether8`. Need a host *on* `ether8` (mamba, or a testmachine patched in) to forward through. See switch runbook. |
---
## C. Isolation rule (important)
> **Keep the makerspace and the homelab apart.** fisi must not hold a standing
> tunnel into the makerspace. Bring Netbird **up only for the task, down
> immediately after**. Prefer the VPS-bastion path (B2) when it suffices, since
> it puts no makerspace network on fisi at all. The concern is preventing any
> compromise at the makerspace from reaching fisi/the homelab.
---
## D. Secrets & credentials (where they live — not stored here)
- **Ansible vault (baobab):** `~/.ansible/vault-keys/prod.txt`; secrets in
`AnsibleBaobabV4/group_vars/all/90-secrets.vault.yml`
(`ansible-vault edit ... --vault-id prod@`). WG/Netbird/service secrets are
`vault_*` keys there.
- **Ansible vault (switch):** identity `makerfloss`,
`~/.ansible/vault-keys/makerfloss.txt`; switch admin password in
`MakerFLOSS_Mikrotik/group_vars/mikrotik.vault.yml`.
- **SSH:** operator key `~/.ssh/id_ed25519`; project-wide SSH port is **7576**
(switch SSH is on `:22`, Forgejo git on `:7577`).
Never commit secrets to this repo.