From 8a7779166e881bdbb159d503cb841104608c6e34 Mon Sep 17 00:00:00 2001 From: medusa Date: Mon, 4 Aug 2025 01:25:11 -0500 Subject: [PATCH] Update tech_docs/single-box.md --- tech_docs/single-box.md | 176 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 175 insertions(+), 1 deletion(-) diff --git a/tech_docs/single-box.md b/tech_docs/single-box.md index 82238e2..83d783b 100644 --- a/tech_docs/single-box.md +++ b/tech_docs/single-box.md @@ -1,5 +1,30 @@ Low-hanging fruit that **fit the symmetry aesthetic** and **cost ≤ 1 extra binary / 1 config file each**: +## 🧩 **Core Services (≤ 1 binary / ≤ 1 file)** + +| # | Service | One-line install | Single-file config snippet | +|---|---------|------------------|----------------------------| +| 1 | **NTP + PTP** | `apt install chrony` | `/etc/chrony/chrony.conf` ➜ `allow 10.0.0.0/16` | +| 2 | **Central syslog** | `apt install rsyslog` | `/etc/rsyslog.d/10-remote.conf` ➜ `*.* @@ns.infra.mycorp.net:514` | +| 3 | **mDNS repeater** | `apt install avahi-daemon` | `/etc/avahi/avahi-daemon.conf` ➜ `enable-reflector=yes` | +| 4 | **TFTP / PXE** | *(none)* | `/etc/dnsmasq.d/30-pxe.conf` ➜ `dhcp-option=66,10.0.255.1` | +| 5 | **WireGuard hub** | `apt install wireguard` | `/etc/wireguard/wg0.conf` *(single key pair)* | +| 6 | **Prometheus exporter** | `apt install prometheus-node-exporter` | *(none)* | +| 7 | **ZTP for switches** | *(reuse TFTP)* | `/etc/dnsmasq.d/40-ztp.conf` ➜ `dhcp-match=set:ztp,…` | +| 8 | **Split-horizon DNS** | `apt install unbound` | `/etc/unbound/unbound.conf.d/20-split.conf` | +| 9 | **APT cache** | `apt install apt-cacher-ng` | `/etc/apt-cacher-ng/zzz-custom.conf` ➜ `PassThroughPattern: .*` | +|10 | **NetBox inventory** | `docker run -d -p 8000:8080 netboxcommunity/netbox` | *(container = config)* | +|11 | **Git-ops configs** | `apt install etckeeper` | `/etc/etckeeper/etckeeper.conf` | +|12 | **802.1X wired auth** | `apt install hostapd` | `/etc/hostapd/wired.conf` | +|13 | **Firmware mirror** | `apt install rsync` | systemd timer drop-in | +|14 | **Internal pastebin** | `docker run -d -p 7777:7777 haste-server` | *(container = config)* | +|15 | **Internal ACME CA** | `step ca init …` | `/etc/step-ca/config/ca.json` | +|16 | **Phone VLAN via DHCP opt 43** | *(none)* | `/etc/dnsmasq.d/50-voip.conf` | +|17 | **Tiny IPAM (phpipam)** | `docker run … phpipam` | nginx location block | +|18 | **DNS sinkhole** | `curl -sSL https://install.pi-hole.net | bash` | `/etc/pihole/setupVars.conf` | + +--- + 1. NTP + PTP (time symmetry) ``` apt install chrony @@ -47,4 +72,153 @@ Low-hanging fruit that **fit the symmetry aesthetic** and **cost ≤ 1 extra bin ``` Metrics reachable at `http://ns.infra.mycorp.net:9100/metrics`. -Pick **any two** without breaking the “single-box, single-file” rule. \ No newline at end of file +Below is a **lightweight, copy-paste-ready** cheat-sheet that keeps the **cost ≤ 1 extra binary *or* 1 extra config file** rule. +Everything is grouped by *single-line install* and *single-file config* so you can mix-and-match as your “infra-core” grows. + +--- + +## 🛠️ **Drop-in snippets** + +```bash +# 1-liner to add any snippet above +sudo curl -fsSL https://gist.githubusercontent.com/you/abc123/raw/add-chrony.sh | bash +``` + +All snippets follow the **same directory layout** so you can commit the entire `/etc/infra.d/*.conf` tree to Git (via etckeeper) and roll back with `git checkout`. + +--- + +### 19. **Real-time structural-monitoring MQTT bus** +**Binary:** `apt install mosquitto` +**Config:** `/etc/mosquitto/conf.d/10-bridge.conf` +``` +connection ns +address ns.infra.mycorp.net +topic # both 0 +``` +Attach cheap ESP32-based vibration sensors to any bridge/rack; data is instantly bridged to the central broker for Grafana alerts with zero custom code . + +--- + +### 20. **NetBird overlay network (Zero-config VPN mesh)** +**Binary:** +``` +curl -fsSL https://get.netbird.io/install.sh | sh +``` +**Config:** `/etc/netbird/config.json` (auto-generated on `netbird up --setup-key …`) +Gives every node a stable 100.64.0.0/10 address and WireGuard-grade crypto without managing keys or firewall rules. + +--- + +### 21. **Single-binary DERP map for Tailscale / Headscale** +**Binary:** none (built into `tailscale`) +**Config:** `/etc/headscale/derp.yaml` +``` +regions: + 900: + regionid: 900 + regioncode: "infra" + nodes: + - name: ns + regionid: 900 + ipv4: 10.0.255.1 +``` +Provides an internal relay when direct WireGuard hole-punch fails. + +--- + +### 22. **OSQuery fleet launcher** +**Binary:** `apt install osquery` +**Config:** `/etc/osquery/osquery.conf` (single JSON file) +``` +{ + "schedule": { + "listen_ports": {"query": "select * from listening_ports;", "interval": 300} + } +} +``` +Ship logs to the central syslog server already running on `ns.infra.mycorp.net`. + +--- + +### 23. **Immutable firmware OSTree mirror** +**Binary:** `apt install ostree` +**Config:** systemd timer drop-in `/etc/systemd/system/ostree-mirror.timer` +``` +[Timer] +OnCalendar=Sat 02:00 +``` +Keeps a versioned `/srv/ostree` mirror of Fedora CoreOS / Ubuntu Core images for zero-touch edge rollbacks. + +--- + +### 24. **Kuma / Uptime-Kuma “infra pulse”** +**Binary:** `docker run -d -p 3001:3001 louislam/uptime-kuma` +**Config:** web UI export → `/srv/kuma/config.json` (one click restore) +Monitors internal DNS, WireGuard gateways, and PXE endpoints from the same box. + +--- + +### 25. **Local LLM “help-desk” API** +**Binary:** +``` +docker run -d -p 8000:8000 --name ollama ollama/ollama +docker exec ollama ollama pull llama3.2 +``` +**Config:** single API call to `http://ns.infra.mycorp.net:8000/api/generate` gives chat-ops answers about your internal infra docs. + +--- + +### 26. **SBOM & vuln-scanning pipeline** +**Binary:** `apt install syft grype` +**Config:** nightly systemd service `/etc/systemd/system/sbom-scan.service` +``` +[Service] +Type=oneshot +ExecStart=/usr/bin/syft /var/lib/docker -o json | /usr/bin/grype +``` +Results land in the same syslog endpoint. + +--- + +### 27. **Geo-replicated S3-compatible “cold” storage** +**Binary:** `docker run -d -p 9000:9000 -p 9001:9001 minio/minio server /data --console-address ":9001"` +**Config:** single env file `/etc/default/minio` +``` +MINIO_ROOT_USER=admin +MINIO_ROOT_PASSWORD=infraPass +``` +Mount `/srv/backup` for immutable backups of WireGuard keys, NetBox DB, etc. + +--- + +### 28. **AI-driven energy-optimiser for server racks** +**Binary:** `apt install influxdb2 telegraf` +**Config:** `/etc/telegraf/telegraf.conf` (one input + one output) +``` +[[inputs.ipmi_sensor]] +[[outputs.influxdb_v2]] + urls = ["http://ns.infra.mycorp.net:8086"] +``` +Grafana AI plugin suggests fan-curve tweaks that cut power 8–12 % . + +--- + +### 29. **Single-sign-on portal (SSO)** +**Binary:** `docker run -d -p 9000:9000 authelia/authelia` +**Config:** `/config/configuration.yml` (single YAML) gives LDAP-less 2-factor auth in front of NetBox, Uptime-Kuma, phpIPAM, etc. + +--- + +### 30. **Satellite imagery coastal-watch cron** +**Binary:** `apt install aws-cli` +**Config:** `/etc/systemd/system/coastal-watch.service` +``` +[Service] +Type=oneshot +ExecStart=aws s3 sync s3://sentinel-s2-l2a /srv/sat --no-sign-request --include "*T10*/*B02.jp2" +``` +Feed into the same MQTT bus (#19) for AI flood-risk scoring . + +--- +