UISP Migration to uisp.berlin.freifunk.net

[Noki]

With the rollout of babel routing and bgpdisco we changed the host suffix from .olsr to .ff. Due to the change devices can no longer reach the host and need to be migrated to another host. In order to make the uisp host a stable endpoint we should migrate it to uisp.berlin.freifunk.net.

• Add dns entries to resolte uisp.berlin.freifunk.net to the correct IP addresses (@nicolasberens)
  • Use IPv4 & IPv6 addresses reachable from the Internet so we can have a proper SSL certificate
• Setup migration in UISP to the new host (@Noki)
• Add a static hostname entry for uisp.olsr so devices can reconnect and the migration can take place (@Noki)

[nicolasberens]

77.87.50.24
2001:bf7:b301::24

dns might take a bit

please make sure only services that are necessary are accessible from the outside

[pktpls]

UISP is now part of our public attack surface - would be good to remove at least the gateway locations from it, if they're in there

Actually pretty urgent to make sure it's reasonably locked down, we can expect that it'll soon begin to be scanned.

[pktpls]

Or maybe we can set it up so it's only accessible from within the mesh

[FFHener]

Or maybe we can set it up so it's only accessible from within the mesh

I think this could be a good middleground, but I would like to hear more opinions, especially from @Noki

Im ok with the tradeoff of needing to tunnel into the mesh to be able to reach uisp remotely

[Noki]

Restricting it sounds like the way to go. The idea behind the public IP and the subdomain is that those are more stable than our internal IPs / hostnames and could also be secured, but we do not really access from outside our network as everybody knows to use a jump host anyway. However it would be nice to find a way to have a valid Let's encrypt certificate that could also renew.