labitat-ansible/documentation, branch new_prefixes Unnamed repository; edit this file 'description' to name the repository. documentation: addressplan: update to new prefixes 2025-06-04T16:44:30+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2025-06-04T16:39:35+00:00 2472ac056d87a657f3a3c7095c14a533d1b9b73e Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> 
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
space_server: networkd: add new secondary Labicolo network 2024-02-22T20:05:10+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2024-02-21T23:11:19+00:00 851a1ddc003fd023ae7e3d515732f21f40969de8 This completes the split of Labicolo into two networks. Henceforth we have two Labicolo network, and any two Labicolo nodes on different parts of the network will have to join LabIX, if they want to peer. Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> 
This completes the split of Labicolo into two networks.

Henceforth we have two Labicolo network, and any two
Labicolo nodes on different parts of the network will
have to join LabIX, if they want to peer.

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
space_server: networkd: reduce Labicolo to a /27 2024-02-22T20:05:10+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2024-02-21T23:11:18+00:00 1840d35e8cb5e5d0b9f91ce9660f056e1c6d4f87 I want to split Labicolo up in two networks, since it is a bit silly that we have a internet exchange prefix allocation, when all members of the IX are already connected to the same layer 2 network, when they all have transit through the same network. Therefore by splitting Labicolo into 2 networks, we ensure that there is a need for the internet exchange, since not all nodes are able to talk directly to eachother over the transit layer 2 network. Since it would be a bit excessive to allocate another /26 to Labicolo, thereby using half of our IPv4 space for Labicolo. This patch reduces the the current Labicolo network to a /27 network, a subsequent patch will then add a second Labicolo network with the other /27 network. The only issue here is that Labicolo machines, which haven't been updated to have a /27 netmask, will not be able to reach endpoints in 185.38.175.96/27, before they fix their netmask. Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> 
I want to split Labicolo up in two networks, since
it is a bit silly that we have a internet exchange
prefix allocation, when all members of the IX are
already connected to the same layer 2 network, when
they all have transit through the same network.

Therefore by splitting Labicolo into 2 networks,
we ensure that there is a need for the internet
exchange, since not all nodes are able to talk
directly to eachother over the transit layer 2
network.

Since it would be a bit excessive to allocate another
/26 to Labicolo, thereby using half of our IPv4 space
for Labicolo.

This patch reduces the the current Labicolo network to
a /27 network, a subsequent patch will then add a
second Labicolo network with the other /27 network.

The only issue here is that Labicolo machines, which
haven't been updated to have a /27 netmask, will not
be able to reach endpoints in 185.38.175.96/27, before
they fix their netmask.

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
space_server: networkd: move Tor network to vlan 25 2024-02-22T20:05:10+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2024-02-21T23:11:17+00:00 ef8874abf3144238bb5c822dde430c9b014893e4 Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> 
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
documentation: vlans: add vlan list 2024-02-22T20:05:10+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2024-02-21T23:11:16+00:00 b21d2a650cba4d3d4397e33e567de5887a33b9cd Document which VLAN id's are used for what in the space. Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> 
Document which VLAN id's are used for what in the space.

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
documentation: addressplan: don't document Labicolo nodes here 2024-02-22T20:05:10+00:00 Asbjørn Sloth Tønnesen asbjorn@labitat.dk 2024-02-21T23:11:15+00:00 11d3d8162659d30af369360b60d34fec2c8b8c1d These nodes should be documented in the wiki: https://labitat.dk/wiki/Labicolo Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> 
These nodes should be documented in the wiki:
  https://labitat.dk/wiki/Labicolo

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
documentation: Add blackbox.labitat.dk to addressplan 2022-12-02T21:01:33+00:00 Allover allover@systemli.org 2022-11-26T16:47:54+00:00 3b94ac4a0af43ecbc0e882575afbf7be97c797e6 






space_server: add dedicated VLAN for Tor exit nodes
2021-09-14T19:55:35+00:00

Asbjørn Sloth Tønnesen
asbjorn@labitat.dk

2021-09-06T18:13:20+00:00

bbadfe484a834980ef82049f9a3e26f2710625a4

Move the Tor exit nodes to their own VLAN, and
their own address space.

Background for move
-------------------

For the first Tor exit node, we where able to
create inet6num object 2a01:4262:1ab:20::71/128.
So we could assign a specific Tor abuse contact.

When we added the second node it was no longer
possible to create /128 inet6num objects, but
only up to /64. We therefore need to move our
Tor exit nodes to a dedicated address space.

Connection tracking
-------------------

Connection tracking is quite expensive, so
it's better to only do it for Tor traffic,
when we actually need it, which is only when
internal clients need to access the servers.

In the future conntrack could also be disabled
for labicolo in general.

Current stats
~~~~~~~~~~~~~

[root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack |
	grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l
4071

[root@space ~]# wc -l /proc/net/nf_conntrack
39138 /proc/net/nf_conntrack

Currently 4071 out of 39138 connections are not Tor related.

Also reading /proc/net/nf_conntrack is quite slow atm.:

[root@space ~]# time cat /proc/net/nf_conntrack > /dev/null

real    0m35.097s
user    0m0.010s
sys     0m28.114s

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>





Move the Tor exit nodes to their own VLAN, and
their own address space.

Background for move
-------------------

For the first Tor exit node, we where able to
create inet6num object 2a01:4262:1ab:20::71/128.
So we could assign a specific Tor abuse contact.

When we added the second node it was no longer
possible to create /128 inet6num objects, but
only up to /64. We therefore need to move our
Tor exit nodes to a dedicated address space.

Connection tracking
-------------------

Connection tracking is quite expensive, so
it's better to only do it for Tor traffic,
when we actually need it, which is only when
internal clients need to access the servers.

In the future conntrack could also be disabled
for labicolo in general.

Current stats
~~~~~~~~~~~~~

[root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack |
	grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l
4071

[root@space ~]# wc -l /proc/net/nf_conntrack
39138 /proc/net/nf_conntrack

Currently 4071 out of 39138 connections are not Tor related.

Also reading /proc/net/nf_conntrack is quite slow atm.:

[root@space ~]# time cat /proc/net/nf_conntrack > /dev/null

real    0m35.097s
user    0m0.010s
sys     0m28.114s

Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>







space_server: add labicolo ipv6 range for Esmil
2020-08-13T15:39:06+00:00

Emil Renner Berthing
esmil@labitat.dk

2020-08-13T15:36:33+00:00

a5ccc4b5ee50f5fd1efeb967579fa975f769428d












documentation: update addressplan.txt to match wiki
2020-03-11T06:13:06+00:00

Jesper Hess Nielsen
jesper@graffen.dk

2020-03-11T06:01:38+00:00

b0a2abadbfe406e38d40f557c1339cbd41b0203b