Update tech_docs/single-box.md

2025-08-04 01:25:11 -05:00
parent fbc49b5aa9
commit 8a7779166e
1 changed files with 175 additions and 1 deletions
--- a/tech_docs/single-box.md
+++ b/tech_docs/single-box.md
@@ -1,5 +1,30 @@
 Low-hanging fruit that **fit the symmetry aesthetic** and **cost ≤ 1 extra binary / 1 config file each**:

+## 🧩 **Core Services (≤ 1 binary / ≤ 1 file)**
+
+| # | Service | One-line install | Single-file config snippet |
+|---|---------|------------------|----------------------------|
+| 1 | **NTP + PTP** | `apt install chrony` | `/etc/chrony/chrony.conf` ➜ `allow 10.0.0.0/16` |
+| 2 | **Central syslog** | `apt install rsyslog` | `/etc/rsyslog.d/10-remote.conf` ➜ `*.* @@ns.infra.mycorp.net:514` |
+| 3 | **mDNS repeater** | `apt install avahi-daemon` | `/etc/avahi/avahi-daemon.conf` ➜ `enable-reflector=yes` |
+| 4 | **TFTP / PXE** | *(none)* | `/etc/dnsmasq.d/30-pxe.conf` ➜ `dhcp-option=66,10.0.255.1` |
+| 5 | **WireGuard hub** | `apt install wireguard` | `/etc/wireguard/wg0.conf` *(single key pair)* |
+| 6 | **Prometheus exporter** | `apt install prometheus-node-exporter` | *(none)* |
+| 7 | **ZTP for switches** | *(reuse TFTP)* | `/etc/dnsmasq.d/40-ztp.conf` ➜ `dhcp-match=set:ztp,…` |
+| 8 | **Split-horizon DNS** | `apt install unbound` | `/etc/unbound/unbound.conf.d/20-split.conf` |
+| 9 | **APT cache** | `apt install apt-cacher-ng` | `/etc/apt-cacher-ng/zzz-custom.conf` ➜ `PassThroughPattern: .*` |
+|10 | **NetBox inventory** | `docker run -d -p 8000:8080 netboxcommunity/netbox` | *(container = config)* |
+|11 | **Git-ops configs** | `apt install etckeeper` | `/etc/etckeeper/etckeeper.conf` |
+|12 | **802.1X wired auth** | `apt install hostapd` | `/etc/hostapd/wired.conf` |
+|13 | **Firmware mirror** | `apt install rsync` | systemd timer drop-in |
+|14 | **Internal pastebin** | `docker run -d -p 7777:7777 haste-server` | *(container = config)* |
+|15 | **Internal ACME CA** | `step ca init …` | `/etc/step-ca/config/ca.json` |
+|16 | **Phone VLAN via DHCP opt 43** | *(none)* | `/etc/dnsmasq.d/50-voip.conf` |
+|17 | **Tiny IPAM (phpipam)** | `docker run … phpipam` | nginx location block |
+|18 | **DNS sinkhole** | `curl -sSL https://install.pi-hole.net | bash` | `/etc/pihole/setupVars.conf` |
+
+---
+
 1. NTP + PTP (time symmetry)  
   ```
   apt install chrony
@@ -47,4 +72,153 @@ Low-hanging fruit that **fit the symmetry aesthetic** and **cost ≤ 1 extra bin
   ```
   Metrics reachable at `http://ns.infra.mycorp.net:9100/metrics`.

-Pick **any two** without breaking the “single-box, single-file” rule.
+Below is a **lightweight, copy-paste-ready** cheat-sheet that keeps the **cost ≤ 1 extra binary *or* 1 extra config file** rule.  
+Everything is grouped by *single-line install* and *single-file config* so you can mix-and-match as your “infra-core” grows.
+
+---
+
+## 🛠️ **Drop-in snippets**
+
+```bash
+# 1-liner to add any snippet above
+sudo curl -fsSL https://gist.githubusercontent.com/you/abc123/raw/add-chrony.sh | bash
+```
+
+All snippets follow the **same directory layout** so you can commit the entire `/etc/infra.d/*.conf` tree to Git (via etckeeper) and roll back with `git checkout`.
+
+---
+
+### 19. **Real-time structural-monitoring MQTT bus**  
+**Binary:** `apt install mosquitto`  
+**Config:** `/etc/mosquitto/conf.d/10-bridge.conf`  
+```
+connection ns
+address ns.infra.mycorp.net
+topic # both 0
+```
+Attach cheap ESP32-based vibration sensors to any bridge/rack; data is instantly bridged to the central broker for Grafana alerts with zero custom code .
+
+---
+
+### 20. **NetBird overlay network (Zero-config VPN mesh)**  
+**Binary:**  
+```
+curl -fsSL https://get.netbird.io/install.sh | sh
+```  
+**Config:** `/etc/netbird/config.json` (auto-generated on `netbird up --setup-key …`)  
+Gives every node a stable 100.64.0.0/10 address and WireGuard-grade crypto without managing keys or firewall rules.
+
+---
+
+### 21. **Single-binary DERP map for Tailscale / Headscale**  
+**Binary:** none (built into `tailscale`)  
+**Config:** `/etc/headscale/derp.yaml`  
+```
+regions:
+  900:
+    regionid: 900
+    regioncode: "infra"
+    nodes:
+      - name: ns
+        regionid: 900
+        ipv4: 10.0.255.1
+```
+Provides an internal relay when direct WireGuard hole-punch fails.
+
+---
+
+### 22. **OSQuery fleet launcher**  
+**Binary:** `apt install osquery`  
+**Config:** `/etc/osquery/osquery.conf` (single JSON file)  
+```
+{
+  "schedule": {
+    "listen_ports": {"query": "select * from listening_ports;", "interval": 300}
+  }
+}
+```
+Ship logs to the central syslog server already running on `ns.infra.mycorp.net`.
+
+---
+
+### 23. **Immutable firmware OSTree mirror**  
+**Binary:** `apt install ostree`  
+**Config:** systemd timer drop-in `/etc/systemd/system/ostree-mirror.timer`  
+```
+[Timer]
+OnCalendar=Sat 02:00
+```
+Keeps a versioned `/srv/ostree` mirror of Fedora CoreOS / Ubuntu Core images for zero-touch edge rollbacks.
+
+---
+
+### 24. **Kuma / Uptime-Kuma “infra pulse”**  
+**Binary:** `docker run -d -p 3001:3001 louislam/uptime-kuma`  
+**Config:** web UI export → `/srv/kuma/config.json` (one click restore)  
+Monitors internal DNS, WireGuard gateways, and PXE endpoints from the same box.
+
+---
+
+### 25. **Local LLM “help-desk” API**  
+**Binary:**  
+```
+docker run -d -p 8000:8000 --name ollama ollama/ollama
+docker exec ollama ollama pull llama3.2
+```  
+**Config:** single API call to `http://ns.infra.mycorp.net:8000/api/generate` gives chat-ops answers about your internal infra docs.
+
+---
+
+### 26. **SBOM & vuln-scanning pipeline**  
+**Binary:** `apt install syft grype`  
+**Config:** nightly systemd service `/etc/systemd/system/sbom-scan.service`  
+```
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/syft /var/lib/docker -o json | /usr/bin/grype
+```
+Results land in the same syslog endpoint.
+
+---
+
+### 27. **Geo-replicated S3-compatible “cold” storage**  
+**Binary:** `docker run -d -p 9000:9000 -p 9001:9001 minio/minio server /data --console-address ":9001"`  
+**Config:** single env file `/etc/default/minio`  
+```
+MINIO_ROOT_USER=admin
+MINIO_ROOT_PASSWORD=infraPass
+```
+Mount `/srv/backup` for immutable backups of WireGuard keys, NetBox DB, etc.
+
+---
+
+### 28. **AI-driven energy-optimiser for server racks**  
+**Binary:** `apt install influxdb2 telegraf`  
+**Config:** `/etc/telegraf/telegraf.conf` (one input + one output)  
+```
+[[inputs.ipmi_sensor]]
+[[outputs.influxdb_v2]]
+  urls = ["http://ns.infra.mycorp.net:8086"]
+```
+Grafana AI plugin suggests fan-curve tweaks that cut power 8–12 % .
+
+---
+
+### 29. **Single-sign-on portal (SSO)**  
+**Binary:** `docker run -d -p 9000:9000 authelia/authelia`  
+**Config:** `/config/configuration.yml` (single YAML) gives LDAP-less 2-factor auth in front of NetBox, Uptime-Kuma, phpIPAM, etc.
+
+---
+
+### 30. **Satellite imagery coastal-watch cron**  
+**Binary:** `apt install aws-cli`  
+**Config:** `/etc/systemd/system/coastal-watch.service`  
+```
+[Service]
+Type=oneshot
+ExecStart=aws s3 sync s3://sentinel-s2-l2a /srv/sat --no-sign-request --include "*T10*/*B02.jp2"
+```
+Feed into the same MQTT bus (#19) for AI flood-risk scoring .
+
+---
+