Black Magic Lab · OAT Cheatsheet
⌘K
CREW ON HOLIDAY · LIL IS LOCAL
Observatory · Automation · Reliability

Black Magic Lab Cheatsheet

LIL-00 · LIBRARIAN
ON DUTY

Cheatsheets, calculators, architecture designer, regex builder, and a GUI wizard — all offline. Press ⌘K to fly anywhere.

⌘K
snippets
20architectures
12calculators
9themes

matches · filtered by

Browse by topic

Featured

Configuration management
Ansible — 16 deep snippets
Collections · ansible-lint · Molecule · EE · AWX/AAP · EDA rulebooks · Vault · real playbooks
Infrastructure as Code
Terraform 1.13 + OpenTofu
Modules, workspaces, state, Sentinel, drift detection, import blocks
Live diagram editor
Architecture Designer
20 reference templates · Mermaid + D2 · export PNG/SVG
New project? Start here
GUI Builder Wizard
Step-through: scope → infra → CI/CD → obs → security → docs. Outputs your runbook.
Linux + Windows + Cloud
Firewalls & Rules
UFW · iptables · nftables · firewalld · PowerShell NetSecurity · K8s NetworkPolicies
Production-grade
Docker & Kubernetes
BuildKit cache mounts · distroless · Cosign · NetworkPolicy · Helm · Operators · Istio Ambient

Power-user shortcuts

  • / or ⌘K — universal search palette
  • g then o/a/k/c/f/t/d/w/r/b — jump to section (o=Obs, a=Auto, k=K8s, c=Cloud, f=Firewall, t=Tools, d=Designer, w=Wizard)
  • t — cycle theme · ? — full shortcut overlay
  • Star any snippet to bookmark it (saved locally only)

Ansible — agentless config & EDA in one

Ansible runs idempotent playbooks over SSH/WinRM (no agents), plus Event-Driven Ansible (rulebooks) reacts to webhooks/Kafka/AWX events to auto-remediate. Use it for VM config, Day-2 ops, and incident actions; pair with Terraform (infra) and ArgoCD/Flux (K8s GitOps).

Jump to Ansible group → Official docs EDA rulebooks

Calculators & Decoders

Twelve interactive utilities — all run locally in your browser.

IPv4 CIDR

IPv6 CIDR

/64  ← single LAN (default)
/56  ← 256 LANs (typical site)
/48  ← 65 536 LANs (enterprise)
fc00::/7  ULA (private)
fe80::/10 link-local
ff00::/8  multicast

SLO / Error budget

Burn-rate alerting (MWMBR)

Google SRE Workbook §5 — multi-window multi-burn-rate.

Availability table

JWT decoder

Base64

URL & Hex

Cron expression

Regex Builder — guided generator

Tester (live)

YAML

JSON

ID generator

Hash

Timestamp

Color converter

Architecture Designer

Two ways in: a guided wizard that builds a guaranteed-renderable diagram from a few choices, or the free editor for hand-tuning. Both pre-validate Mermaid before render.

1 · Pick kind 2 · Pick blueprint 3 · Customize 4 · Validate & render

Step 1 — What do you want to draw?

Step 2 — Pick a starting blueprint

Step 3 — Customize

Step 4 — Validate & render

Generated Mermaid

Templates ()

GUI Builder Wizard

Step-through planning for any new infra / software / automation project. Walks you through the priority order architects use, then outputs a tailored checklist + recommended diagram + commands.

Quick Reference

CIDR table, ports, availability matrix — at-a-glance.

CIDR / Subnet table (IPv4)

Well-known ports

Availability table

Private / reserved IP ranges

RFC1918 private:    10.0.0.0/8     172.16.0.0/12     192.168.0.0/16
RFC6598 CGNAT:      100.64.0.0/10
RFC3927 link-local: 169.254.0.0/16
Loopback:           127.0.0.0/8
Multicast:          224.0.0.0/4
Reserved:           240.0.0.0/4

IPv6 link-local:    fe80::/10
IPv6 ULA:           fc00::/7
IPv6 multicast:     ff00::/8
IPv6 loopback:      ::1/128
IPv6 global unicast 2000::/3

Cloud subnet reserved IPs

AWS VPC subnet:  5 reserved per subnet (.0 network, .1 router, .2 DNS, .3 future, .last broadcast)
                 Subnet sizes: /16 (largest) → /28 (smallest, 11 usable hosts)
Azure VNet:      5 reserved per subnet (.0 .1 .2 .3 .last)
                 Special subnets must be named: GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet
GCP VPC:         No 5-reserved rule. 4 reserved: network (.0), gateway (.1), .2nd-to-last, broadcast (.last)
                 Subnets are regional. Primary + secondary IP ranges (alias IP).
K8s typical:     Pod CIDR  10.244.0.0/16  (262 142 IPs — sufficient for ~250 nodes × 256 pods)
                 Service CIDR 10.96.0.0/12 (1 048 574 IPs — typically /16 is fine: 10.96.0.0/16)

AI Assistant

Chat with any OpenAI-compatible LLM (Ollama, llama.cpp, vLLM, BML API). Ask about syntax, when/where to use a command, or to explain a snippet — answers are grounded in this cheatsheet via RAG.

not loaded 🛡 ADMIN · unlimited 🔑 AUTH · unlimited
/ requests left today
Local engine: downloads a GGUF model into browser cache and runs it on-device — no network after first load. Works on Android & iOS.
Remote engine — CORS: for Ollama, start it with OLLAMA_ORIGINS="*" ollama serve. For llama.cpp use --host 0.0.0.0 --port 8080. From phone: point endpoint at your host's LAN IP (e.g. http://192.168.0.107:11434/v1).
Enter send · Shift+Enter newline · grounded with top- snippets · guest tier · transcript not saved · 🪶 conversations help us improve · · collection off ·

My Account

Profile, quota, and password. Settings (model, engine, behavior) live in the admin panel.

Admin Queue

Review pending account requests, approve or deny, and copy a one-shot activation URL to send to the requester. Admin-only — gated by your JWT role.

·

This will create a user account in status pending and mint a one-shot activation token (valid 7 days). You'll receive a copy-able URL to send to the requester.

The request will be marked denied. Please add a short reason — it's stored in the audit log.

Decision recorded

·

Lab · Firewall Rules

Single canonical rule schema → instant codegen for GCP firewall, Cloudflare WAF, iptables, nftables, and Kubernetes NetworkPolicy. Includes a "would this allow X?" simulator with first-match-wins priority logic.

Preset:
rules

Edit rule

Simulator — would this flow be allowed?

First-match-wins by ascending priority (lower number = higher precedence, GCP-style). Implicit-deny if nothing matches.

Cheatsheet

  • GCP firewall rules — VPC-scoped; lower priority number wins; implicit-deny ingress + implicit-allow egress on default network. --rules=tcp:443 for ports.
  • Cloudflare — supports ingress only (CDN edge). Use Wireshark-style expressions; combine with cf.threat_score for adaptive blocking.
  • iptables — first match wins per chain. Always end INPUT/FORWARD with -j DROP for default-deny.
  • nftables — modern replacement for iptables. Use sets for IP/port lists. nft list ruleset to dump all.
  • K8s NetworkPolicy — allowlist-only. To get default-deny, apply a NetworkPolicy that selects pods + lists policyTypes but has empty ingress/egress.
  • Priority order — this lab sorts ascending (GCP/Azure-style). On AWS Security Groups all rules are allow, so "first match wins" doesn't apply — every match permits.

Lab · Secret Rotation

Anatomy of a zero-downtime rotation with a planned overlap window. Walk the timeline phase-by-phase, then read the real GitHub Actions workflow that powers bml-lil-token rotation in this very project.

Rotator timeline

⏱ Overlap window — both tokens valid

.github/workflows/rotate-bml-lil-token.yml

Why the overlap window matters

  • No flapping — without overlap, in-flight requests presenting the old token would 401 the moment you flip. With 1h overlap, every long poller / cron / queue worker gets a graceful handoff.
  • WIF over SA keys — the workflow auths via Workload Identity Federation; no long-lived service-account JSON in CI secrets to rotate.
  • VM pulls, CI doesn't push — the API VM polls Secret Manager every 60s. CI never SSHes — fewer egress paths, simpler audit.
  • Probe before declaring success — T3 hits /health with the new token; if it doesn't go 200 within 5min, rollback fires.
  • Rollback is automatic — failure between T0–T3 demotes the new version back to -prev and opens a P1 issue with the rotation_id.
  • Audit by default — every step emits structured logs to Cloud Logging; the rotation_id ties workflow → secret version → API health-probe → revoke job.

Lab · Auth Flow

Run a real register → login → JWT → refresh-rotation → lockout flow against an isolated sandbox. Nothing here touches the real auth surface — your sandbox is wiped after 24h idle, or by the Reset button.

Your sandbox
Per-browser. Wiped 24h idle.

1. Register

First user in a sandbox becomes admin. Real systems would require a separate activation step.

2. Login

Edge cases — try them

JWT decoder (header.payload.signature)

Last lab response


        

      


      
      

        

          
 Lab · API Tokens

          
Mint, list, revoke, and rotate-with-overlap bearer tokens. Same lifecycle pattern as the real bml-lil-token rotator workflow — without touching production secrets.

        


        

        

          
          

            
 Mint a token

            
            
            
            
            
            
            
          


          
          

            
 Rotation overlap

            
When you rotate a token, the old one keeps working for the overlap window so deploys and long-running jobs don't break mid-flight. Then it auto-expires.

            
            
            
Real prod default: 300s — long enough for the next CI run to pull, short enough that a leaked old token has limited reach.

          

        


        
        

        
        

          
 Your tokens ()

          
          
        

      


      
      

        

          
 Lab · API Auth Schemes

          
Send pre-built requests with different Authorization schemes — Basic, Bearer (opaque), Bearer (JWT), API key header, mTLS — to /lab/api/echo. The server detects the scheme, redacts the secret, and shows you exactly what arrived. Compare-and-contrast learning, with a static reference table.

        


        

          
          

            
 Build a request

            
            
            

            
            

            
            

            

              
              
            

          


          
          

            
 What the server saw

            
            
          

        


        
        

          
 Auth schemes — when to use what

          
          
        

      


      
      

        

          

            
 Bookmarks

            
Your starred snippets — saved locally in this browser.

          

          
          
        

      


    

  


  
  

  
  

  
  

    
  


  
  

    

      
Keyboard shortcuts

      

        
Navigation

        
Open command paletteK · /

        
Homegh

        
Observabilitygo

        
Automationga

        
Docker / K8sgk

        
Cloud / Net / SREgc

        
Calculatorsgt

        
Designergd

        
Referencegr

        
Bookmarksgb

        
UI

        
Theme menut

        
This dialog?

        
Close any modalEsc