Network Lab Server (netlab)

Deploys a network lab server with ContainerLab for network simulation and testing.

Quick Start

curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/netlab/install.sh | bash

Components

ContainerLab: Network topology emulation (Nokia SR Linux, Arista cEOS, etc.)
Docker: Container runtime (installed by ContainerLab setup)
Tailscale: Private network access (full access via tailnet)
UFW: Firewall (only custom SSH port exposed publicly)
fail2ban + unattended-upgrades: Basic hardening

Environment Variables

Variable	Default	Description
`NETLAB_HOSTNAME`	`netlab`	Server hostname
`SSH_PORT`	`15222`	Public SSH port
`TZ`	`Europe/Paris`	Timezone

Example:

NETLAB_HOSTNAME=clab01 SSH_PORT=22222 curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/netlab/install.sh | bash

Network Access

Service	Public	Tailscale
SSH	✅ Port 15222 (configurable)	✅ Port 22 + Tailscale SSH
All other services	❌	✅

What it does

Sets hostname
Installs base packages (vim, fail2ban, unattended-upgrades, at)
Installs and connects Tailscale
Configures sysctl for networking and containerlab
Installs ContainerLab + Docker (via official setup script)
Configures SSH on custom port
Configures UFW (custom SSH port public, everything else via Tailscale)
Temporarily opens SSH port 22 for 5 minutes (safety net)

SSH Safety Net

During installation, SSH port 22 is temporarily opened for 5 minutes to prevent lockout if you're connected via public IP on the default port. After 5 minutes, it will be automatically closed. You can then use either the custom SSH port or Tailscale SSH.

# List scheduled jobs
sudo atq

# Cancel the scheduled SSH closure (replace N with job number)
sudo atrm N

# Manually close SSH port 22 if needed
sudo ufw delete allow 22/tcp

Post-install

# Log out/in or run this to use docker without sudo
newgrp docker

# Verify installation
containerlab version
docker ps

# Deploy a lab
containerlab deploy -t mylab.clab.yml

README.md