EXTENSIONS
User-built models, drivers, vaults, and reports — the parts that plug into swamp.
Filter by what you need and pull what fits.
Azure
Azure infrastructure management via az CLI — 32 model types covering compute, networking, data, security, RBAC, Azure Policy, Defender for Cloud, Entra directory, monitoring, DNS, DevOps, subscription-wide topology with Mermaid diagrams and cost estimation, and the Azure AI Vision Face REST API for identity-aware room services.
Cml
Cisco Modeling Labs (CML) controller automation — sync lab/node/link inventory, import topologies, and manage lab lifecycle via the CML REST API.
Incontrol
Peplink InControl 2 cloud management for swamp — organization/device inventory (including offline devices), full Starlink dish telemetry (obstruction + physical alignment with computed aim-offset), GPS location, connected clients, bandwidth-usage history, and raw API passthrough. OAuth2 client-credentials auth against api.ic.peplink.com.
Cisco Ios Switch
Manage a Cisco IOS switch (e.g. Catalyst 2960) over SSH after console bootstrap — capture running-config and device facts, run verification commands, and push idempotent baselines: secure-access hardening, SNMPv2c, and Layer-3/VLAN/access-port config. Shells out to OpenSSH; vault-resolved credentials; live reachability pre-flight check.
Netgear M4250
Manage a NETGEAR M4250 (AV Line) managed switch over its SSH CLI — capture running-config and device facts, run verification show-commands (VLANs, ports, PoE, MAC table, LLDP, IGMP snooping), apply IGMP-querier and multicast-containment config, and force/restore a port's speed-duplex. Prompt-paced I/O for the M4250's interactive shell, vault-resolved credentials, shells out to OpenSSH.
Eero Network
Eero mesh WiFi management via cloud API — network health, per-node status, per-client band/signal/channel diagnostics, speed tests, settings management, and raw API passthrough. Reverse-engineered from the eero mobile app API.
Opnsense Firewall
Full OPNsense management via REST API — system status, interfaces, DNS, tunables, services, firmware/plugins, firewall states, DHCP leases, ARP table, Tailscale, WireGuard, and raw API passthrough. Replaces MCP server.
Aws/networking
Inspect VPC networking resources that commonly generate hidden costs:
Tailscale/net
Tailscale tailnet device inventory via the API — sync all devices, delete stale entries
Tailscale
Tailscale for swamp: a `setup-tailscale` workflow that installs Tailscale and joins hosts of an @swamp/ssh fleet to the tailnet (auth key via vault + SSH env), plus a `net` model that syncs `tailscale status --json` into one resource per machine so downstream models and workflows can look up nodes by name.
Tailscale/device
Tailscale TCP serve rule management via SSH — sync, set, unset
Peplink
Peplink router management — WAN status, cellular signal diagnostics, band/carrier scanning, manual carrier steering (and revert to auto), SpeedFusion Connect monitoring, Starlink dish control, and raw API passthrough. Works with any Peplink router running firmware 8.5+.
Kubernetes
Kubernetes operational toolkit — 15 model types covering pods, deployments, services, RBAC, storage, networking, autoscaling, batch jobs, and more. Includes 14 ready-to-run workflows for namespace debugging, security audits, RBAC analysis, cluster health, and operational diagnostics.
Unifi
Custom/static DNS records on a local UniFi Network controller.
Ruckus
Sync a Ruckus Unleashed wireless controller into swamp as queryable data. The extension SSHes into the Unleashed master, drives its interactive CLI through a prompt-matching state machine (Unleashed accepts SSH `none` auth and prompts for app-level login on the remote pty, so no `sshpass` or pty wrapper is required), and writes one resource per controller, access point, and WLAN.
Luxul Switch
Monitor a Luxul AMS-series managed switch (e.g. AMS-1208P) over SNMP v2c — device facts, per-port link/error telemetry, and PoE main-budget headroom. Built for AV-over-IP racks carrying Crestron NVX endpoints, where PoE budget and link health drive stream reliability. Read-only; vault-resolved SNMP community.
Tailscale
Install Tailscale on remote VMs over SSH and sync tailnet machine inventory from tailscale status JSON into per-machine resources.
Porkbun
Porkbun DNS record management with full CRUD for all common record types
Aws Cost Audit
AWS cost audit workflow — identifies infrastructure waste by combining
Nginx
Configure nginx as a TCP/UDP stream proxy on a remote host over SSH, with bootstrap and per-service proxy configuration.
Dns Policy
DNS policy compiler — merge manual vhosts + auto-discovered proxy hosts + static rewrites into a deduped desired list for an internal-DNS reconciler (e.g. AdGuard Home), plus a separate hostname list for public exposure.
Nginx Proxy Manager
Nginx Proxy Manager API wrapper — snapshot proxy hosts / redirection hosts / certificates, upsert proxy hosts idempotently (match by domain set), and delete proxy hosts by id.
Adguard
AdGuard Home control-API wrapper — snapshot status/stats/clients/rewrites and reconcile DNS rewrites to a desired set.
Pihole
Pi-hole custom DNS record management for swamp — list, add, delete, and