Black Magic Lab · OAT Cheatsheet
⌘K
CREW ON HOLIDAY · LIL IS LOCAL
Observatory · Automation · Reliability

Black Magic Lab Cheatsheet

LIL-00 · LIBRARIAN
ON DUTY

Cheatsheets, calculators, architecture designer, regex builder, and a GUI wizard — all offline. Press ⌘K to fly anywhere.

⌘K
snippets
20architectures
12calculators
9themes

matches · filtered by

Browse by topic

Featured

Configuration management
Ansible — 16 deep snippets
Collections · ansible-lint · Molecule · EE · AWX/AAP · EDA rulebooks · Vault · real playbooks
Infrastructure as Code
Terraform 1.13 + OpenTofu
Modules, workspaces, state, Sentinel, drift detection, import blocks
Live diagram editor
Architecture Designer
20 reference templates · Mermaid + D2 · export PNG/SVG
New project? Start here
GUI Builder Wizard
Step-through: scope → infra → CI/CD → obs → security → docs. Outputs your runbook.
Linux + Windows + Cloud
Firewalls & Rules
UFW · iptables · nftables · firewalld · PowerShell NetSecurity · K8s NetworkPolicies
Production-grade
Docker & Kubernetes
BuildKit cache mounts · distroless · Cosign · NetworkPolicy · Helm · Operators · Istio Ambient

Power-user shortcuts

  • / or ⌘K — universal search palette
  • g then o/a/k/c/f/t/d/w/r/b — jump to section (o=Obs, a=Auto, k=K8s, c=Cloud, f=Firewall, t=Tools, d=Designer, w=Wizard)
  • t — cycle theme · ? — full shortcut overlay
  • Star any snippet to bookmark it (saved locally only)

Ansible — agentless config & EDA in one

Ansible runs idempotent playbooks over SSH/WinRM (no agents), plus Event-Driven Ansible (rulebooks) reacts to webhooks/Kafka/AWX events to auto-remediate. Use it for VM config, Day-2 ops, and incident actions; pair with Terraform (infra) and ArgoCD/Flux (K8s GitOps).

Jump to Ansible group → Official docs EDA rulebooks

Calculators & Decoders

Twelve interactive utilities — all run locally in your browser.

IPv4 CIDR

IPv6 CIDR

/64  ← single LAN (default)
/56  ← 256 LANs (typical site)
/48  ← 65 536 LANs (enterprise)
fc00::/7  ULA (private)
fe80::/10 link-local
ff00::/8  multicast

CIDR Supernetting / Aggregation

Enter one IP or CIDR per line to group/aggregate them into the minimum set of non-overlapping subnets.

SLO / Error budget

Burn-rate alerting (MWMBR)

Google SRE Workbook §5 — multi-window multi-burn-rate.

Composite SLA & Error Budget

Calculate the overall availability and error budget for complex systems in series or parallel.

Availability table

JWT decoder

Base64

URL & Hex

Cron expression

Regex Builder — guided generator

Tester (live)

YAML

JSON

ID generator

Hash

Timestamp

Color converter

Architecture Designer

Two ways in: a guided wizard that builds a guaranteed-renderable diagram from a few choices, or the free editor for hand-tuning. Both pre-validate Mermaid before render.

1 · Pick kind 2 · Pick blueprint 3 · Customize 4 · Validate & render

Step 1 — What do you want to draw?

Step 2 — Pick a starting blueprint

Step 3 — Customize

Step 4 — Validate & render

Generated Mermaid

Templates ()

GUI Builder Wizard

Step-through planning for any new infra / software / automation project. Walks you through the priority order architects use, then outputs a tailored checklist + recommended diagram + commands.

Quick Reference

CIDR table, ports, availability matrix — at-a-glance.

CIDR / Subnet table (IPv4)

Well-known ports

Availability table

Private / reserved IP ranges

RFC1918 private:    10.0.0.0/8     172.16.0.0/12     192.168.0.0/16
RFC6598 CGNAT:      100.64.0.0/10
RFC3927 link-local: 169.254.0.0/16
Loopback:           127.0.0.0/8
Multicast:          224.0.0.0/4
Reserved:           240.0.0.0/4

IPv6 link-local:    fe80::/10
IPv6 ULA:           fc00::/7
IPv6 multicast:     ff00::/8
IPv6 loopback:      ::1/128
IPv6 global unicast 2000::/3

Cloud subnet reserved IPs

AWS VPC subnet:  5 reserved per subnet (.0 network, .1 router, .2 DNS, .3 future, .last broadcast)
                 Subnet sizes: /16 (largest) → /28 (smallest, 11 usable hosts)
Azure VNet:      5 reserved per subnet (.0 .1 .2 .3 .last)
                 Special subnets must be named: GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet
GCP VPC:         No 5-reserved rule. 4 reserved: network (.0), gateway (.1), .2nd-to-last, broadcast (.last)
                 Subnets are regional. Primary + secondary IP ranges (alias IP).
K8s typical:     Pod CIDR  10.244.0.0/16  (262 142 IPs — sufficient for ~250 nodes × 256 pods)
                 Service CIDR 10.96.0.0/12 (1 048 574 IPs — typically /16 is fine: 10.96.0.0/16)

AI Assistant

Chat with any OpenAI-compatible LLM (Ollama, llama.cpp, vLLM, BML API). Ask about syntax, when/where to use a command, or to explain a snippet — answers are grounded in this cheatsheet via RAG.

not loaded 🛡 ADMIN · unlimited 🔑 AUTH · unlimited
/ requests left today
Local engine: downloads a GGUF model into browser cache and runs it on-device — no network after first load. Works on Android & iOS.
Remote engine — CORS: for Ollama, start it with OLLAMA_ORIGINS="*" ollama serve. For llama.cpp use --host 0.0.0.0 --port 8080. From phone: point endpoint at your host's LAN IP (e.g. http://192.168.0.107:11434/v1).
Enter send · Shift+Enter newline · grounded with top- snippets · guest tier · transcript not saved · 🪶 conversations help us improve · · collection off ·

Sidekick

Paste a DevOps config — Terraform, K8s, Prometheus alerts, CI/CD, OTel, Ansible, Docker Compose. Get an opinionated, severity-tagged review grounded in OAT standards.

⚠️ No endpoint set — go to AI Assistant → ⚙ Settings and configure your endpoint first. Works with any OpenAI-compatible endpoint (Ollama, vLLM, OpenRouter, BML API).

Review
analyzing…

Paste any config above and hit Review.

Uses the same endpoint as AI Assistant. Grounded in OAT observability and automation standards.

My Account

Profile, quota, and password. Settings (model, engine, behavior) live in the admin panel.

Admin Queue

Review pending account requests, approve or deny, and copy a one-shot activation URL to send to the requester. Admin-only — gated by your JWT role.

·

This will create a user account in status pending and mint a one-shot activation token (valid 7 days). You'll receive a copy-able URL to send to the requester.

The request will be marked denied. Please add a short reason — it's stored in the audit log.

Decision recorded

·

Lab · Firewall Rules

Single canonical rule schema → instant codegen for GCP firewall, Cloudflare WAF, iptables, nftables, and Kubernetes NetworkPolicy. Includes a "would this allow X?" simulator with first-match-wins priority logic.

Preset:
rules

Edit rule

Simulator — would this flow be allowed?

First-match-wins by ascending priority (lower number = higher precedence, GCP-style). Implicit-deny if nothing matches.

Cheatsheet

  • GCP firewall rules — VPC-scoped; lower priority number wins; implicit-deny ingress + implicit-allow egress on default network. --rules=tcp:443 for ports.
  • Cloudflare — supports ingress only (CDN edge). Use Wireshark-style expressions; combine with cf.threat_score for adaptive blocking.
  • iptables — first match wins per chain. Always end INPUT/FORWARD with -j DROP for default-deny.
  • nftables — modern replacement for iptables. Use sets for IP/port lists. nft list ruleset to dump all.
  • K8s NetworkPolicy — allowlist-only. To get default-deny, apply a NetworkPolicy that selects pods + lists policyTypes but has empty ingress/egress.
  • Priority order — this lab sorts ascending (GCP/Azure-style). On AWS Security Groups all rules are allow, so "first match wins" doesn't apply — every match permits.

Lab · Secret Rotation

Anatomy of a zero-downtime rotation with a planned overlap window. Walk the timeline phase-by-phase, then read the real GitHub Actions workflow that powers bml-lil-token rotation in this very project.

Rotator timeline

⏱ Overlap window — both tokens valid

.github/workflows/rotate-bml-lil-token.yml

Why the overlap window matters

  • No flapping — without overlap, in-flight requests presenting the old token would 401 the moment you flip. With 1h overlap, every long poller / cron / queue worker gets a graceful handoff.
  • WIF over SA keys — the workflow auths via Workload Identity Federation; no long-lived service-account JSON in CI secrets to rotate.
  • VM pulls, CI doesn't push — the API VM polls Secret Manager every 60s. CI never SSHes — fewer egress paths, simpler audit.
  • Probe before declaring success — T3 hits /health with the new token; if it doesn't go 200 within 5min, rollback fires.
  • Rollback is automatic — failure between T0–T3 demotes the new version back to -prev and opens a P1 issue with the rotation_id.
  • Audit by default — every step emits structured logs to Cloud Logging; the rotation_id ties workflow → secret version → API health-probe → revoke job.

Lab · Auth Flow

Run a real register → login → JWT → refresh-rotation → lockout flow against an isolated sandbox. Nothing here touches the real auth surface — your sandbox is wiped after 24h idle, or by the Reset button.

Your sandbox
Per-browser. Wiped 24h idle.

1. Register

First user in a sandbox becomes admin. Real systems would require a separate activation step.

2. Login

Edge cases — try them

JWT decoder (header.payload.signature)

Last lab response


        

      


      
      

        

          
 Lab · API Tokens

          
Mint, list, revoke, and rotate-with-overlap bearer tokens. Same lifecycle pattern as the real bml-lil-token rotator workflow — without touching production secrets.

        


        

        

          
          

            
 Mint a token

            
            
            
            
            
            
            
          


          
          

            
 Rotation overlap

            
When you rotate a token, the old one keeps working for the overlap window so deploys and long-running jobs don't break mid-flight. Then it auto-expires.

            
            
            
Real prod default: 300s — long enough for the next CI run to pull, short enough that a leaked old token has limited reach.

          

        


        
        

        
        

          
 Your tokens ()

          
          
        

      


      
      

        

          
 Lab · API Auth Schemes

          
Send pre-built requests with different Authorization schemes — Basic, Bearer (opaque), Bearer (JWT), API key header, mTLS — to /lab/api/echo. The server detects the scheme, redacts the secret, and shows you exactly what arrived. Compare-and-contrast learning, with a static reference table.

        


        

          
          

            
 Build a request

            
            
            

            
            

            
            

            

              
              
            

          


          
          

            
 What the server saw

            
            
          

        


        
        

          
 Auth schemes — when to use what

          
          
        

      


      
      

        

          

            
 Bookmarks

            
Your starred snippets — saved locally in this browser.

          

          
          
        

      


    


    
    

    

      

        🐍
        

          
CloudySnake

          
by Akujin

        

      

      

        Black Magic Lab · Observability Automation Architect Cheatsheet
        
        100% offline · runs in your browser
      

    

    

  


  
  

  
  

    
  


  
  

    

      
Keyboard shortcuts

      

        
Navigation

        
Open command paletteK · /

        
Homegh

        
Observabilitygo

        
Automationga

        
Docker / K8sgk

        
Cloud / Net / SREgc

        
Calculatorsgt

        
Designergd

        
Referencegr

        
Bookmarksgb

        
UI

        
Theme menut

        
This dialog?

        
Close any modalEsc