MakerFLOSS_Troubleshooting/access.md
sjat 9ff12700ae Initial troubleshooting workspace: access, network map, runbooks
Scaffold for troubleshooting MakerFLOSS hosts at the makerspace.
Reference + thin runbooks model — authoritative data stays in the
source repos (AnsibleBaobabV4, MakerFLOSS_Mikrotik, MakerFLOSS).

- access.md: reach paths for mamba-on-LAN and fisi-tunneling-in
  (netbird on-demand, VPS bastion, ProxyJump via kuku->mamba),
  with the isolation rule.
- network-map.md: subnet pointers + open question on makerspace
  addressing (10.2.30/172.17.3/10.0.0).
- runbooks/switch-crs310.md: CRS310 connectivity + lockout recovery.
- incidents/: dated log scaffold.
- CLAUDE.md: operating rules for this repo.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 13:24:26 +02:00

6.6 KiB
Raw Blame History

Access — reaching MakerFLOSS / makerspace hosts

How to get a shell on the hosts we troubleshoot, from each place you might be working. Read the section that matches your situation.

There are two actors:

  • You (sjat) — at the makerspace with mamba (laptop), or elsewhere.
  • Claude — lives on fisi (homelab) and must tunnel in to help at the makerspace.

The hosts and where they live

Host Address SSH Where it sits Notes
makerfloss VPS 88.99.32.236 / makerfloss.eu :7576 Public (Hetzner) Public entrypoint + bastion. Forgejo on :7577. WG wg1 hub 10.13.0.1. Netbird control plane nb.makerfloss.eu.
makerfloss1 172.17.3.51 :7576 Makerspace LAN Local Docker/dev host. wg1 peer 10.13.0.2 (full-tunnel).
mf04 10.0.0.184 :7576 Makerspace LAN Testmachine. wg1 peer 10.13.0.3 (split-tunnel). Netbird peer.
crs310-maker (switch) mgmt 192.168.88.1 :22 Makerspace, port ether8 only Mgmt VLAN 99, isolated. Data VLAN 30 = 10.2.30.0/24. See runbooks/switch-crs310.md.
fisi (home) 10.20.10.17 :7576 Homelab Where Claude runs. Behind OPNsense; baobab WG hub is kuku (10.8.0.1, UDP 51194).
mamba (laptop) LAN-dependent :7576 Roams Baobab WG peer 10.8.0.4; makerfloss wg1 roaming peer 10.13.0.5; Netbird peer.

The makerspace addressing is not fully pinned — see the open question in network-map.md. Confirm the host's current IP before relying on the table.


A. You're at the makerspace with mamba (on the LAN)

Easiest case — mamba is directly on the makerspace network.

  • The switch (mgmt): plug mamba into ether8 (mgmt VLAN 99). You get a DHCP lease in 192.168.88.10254; switch is 192.168.88.1 (SSH, and web UI http://192.168.88.1). A pinned NetworkManager profile crs310-bench / static 192.168.88.2 is documented in the Mikrotik repo for this.
  • The switch (data ports ether27): you land on data VLAN 30 (10.2.30.0/24, gateway .1) — normal user network, no switch mgmt here.
  • makerfloss1 / mf04: SSH directly to their LAN IPs (172.17.3.51, 10.0.0.184) on :7576.

For Ansible against the switch from mamba, run from the MakerFLOSS_Mikrotik repo with mamba on ether8.


B. Claude tunneling in from fisi (no laptop at the makerspace)

fisi has no direct route to the makerspace LAN. Pick one path. Ordered by preference given the isolation requirement (keep makerspace and homelab apart — see the rule box below).

B1. Netbird overlay — on-demand only (primary)

fisi is to be enrolled as a peer on the self-hosted Netbird control plane (nb.makerfloss.eu), but the tunnel is brought up only when needed and torn down after. This reaches other Netbird peers (mf04, mamba) on the 100.92.0.0/16 overlay.

One-time enrollment (needs a setup key from the nb.makerfloss.eu dashboard):

# install netbird (Debian) — see netbirdio docs / baobab.netbird_client role
netbird up --setup-key <KEY> --management-url https://nb.makerfloss.eu
netbird status        # confirm peers Connected

Per-session use:

netbird up            # bring the overlay up for this session
# ... do the work, ssh to peer's 100.x address ...
netbird down          # TEAR DOWN when done — do not leave it up

Why on-demand: sjat's explicit constraint — nothing from the makerspace should be able to bleed into fisi/the homelab. Netbird stays down by default on fisi; it is not a standing tunnel.

B2. Via the makerfloss VPS bastion (no tunnel on fisi)

The cleanest isolation-preserving path: fisi only ever talks to the public VPS, which hops onward over its own wg1 tunnel. fisi itself joins no makerspace network.

# Land on the VPS:
ssh -p 7576 sjat@makerfloss.eu

# From the VPS, reach wg1 peers on the makerfloss plane:
ssh -p 7576 sjat@10.13.0.2     # makerfloss1
ssh -p 7576 sjat@10.13.0.3     # mf04

Or, if/when the per-machine SSH DNAT from the VPN design is in place, jump straight through the VPS with a single hop (ports :7578/:7579 → testmachine :7576). Confirm these DNAT rules exist before relying on them.

ssh -J sjat@makerfloss.eu:7576 -p 7576 sjat@10.13.0.3   # fisi → VPS → mf04

This path does not require mamba to be present.

B3. ProxyJump via kuku → mamba (only when mamba is at the makerspace)

This is the chain the AnsibleBaobabV4 inventory already uses for mf04:

fisi → kuku (baobab WG hub) → mamba (WG peer 10.8.0.4, on the makerspace LAN) → mf04
ssh -o ProxyJump="kuku,sjat@10.8.0.4:7576" -p 7576 sjat@10.0.0.184   # mf04

In AnsibleBaobabV4/host_vars/mf04.yml: ansible_ssh_common_args: '-o ProxyJump="kuku,sjat@10.8.0.4:7576"'.

Constraint: only works while mamba is physically at the makerspace, online, and roaming on the baobab WG plane. Breaks the moment mamba leaves.

Choosing between B1/B2/B3

Need Use
Reach mf04/mamba over the overlay, mamba may be absent B1 (netbird, on-demand)
Reach makerfloss1 / mf04 / VPS-side services, max isolation, no tunnel on fisi B2 (VPS bastion)
mamba is at the makerspace and you want the existing Ansible path B3 (ProxyJump)
The switch mgmt plane (192.168.88.1) None of these directly — mgmt VLAN 99 is reachable only from ether8. Need a host on ether8 (mamba, or a testmachine patched in) to forward through. See switch runbook.

C. Isolation rule (important)

Keep the makerspace and the homelab apart. fisi must not hold a standing tunnel into the makerspace. Bring Netbird up only for the task, down immediately after. Prefer the VPS-bastion path (B2) when it suffices, since it puts no makerspace network on fisi at all. The concern is preventing any compromise at the makerspace from reaching fisi/the homelab.


D. Secrets & credentials (where they live — not stored here)

  • Ansible vault (baobab): ~/.ansible/vault-keys/prod.txt; secrets in AnsibleBaobabV4/group_vars/all/90-secrets.vault.yml (ansible-vault edit ... --vault-id prod@). WG/Netbird/service secrets are vault_* keys there.
  • Ansible vault (switch): identity makerfloss, ~/.ansible/vault-keys/makerfloss.txt; switch admin password in MakerFLOSS_Mikrotik/group_vars/mikrotik.vault.yml.
  • SSH: operator key ~/.ssh/id_ed25519; project-wide SSH port is 7576 (switch SSH is on :22, Forgejo git on :7577).

Never commit secrets to this repo.