From 9559ac5a56504e2f514e03f8da2bcec9a013658e Mon Sep 17 00:00:00 2001 From: medusa Date: Mon, 4 Aug 2025 16:06:24 -0500 Subject: [PATCH] Add tech_docs/its_the_new_style_design.md --- tech_docs/its_the_new_style_design.md | 96 +++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 tech_docs/its_the_new_style_design.md diff --git a/tech_docs/its_the_new_style_design.md b/tech_docs/its_the_new_style_design.md new file mode 100644 index 0000000..cc90d94 --- /dev/null +++ b/tech_docs/its_the_new_style_design.md @@ -0,0 +1,96 @@ +Below is a single, opinionated, **Debian-only** decade scheme that you can clone into `/etc/linux-decades/` (or keep in Git and symlink). +Everything is pure Debian tooling—`apt`, `debconf`, `systemd`, `sysctl.d`, `sudoers.d`, `nftables`, etc.—no network-centric artifacts. + +Directory layout (drop-in ready): + +``` +/etc/linux-decades/ +├── 00_bootstrap/ +│ ├── 00_00_installer_seed.cfg # preseed / cloud-init +│ ├── 00_10_register_debian_mirror.sh # sources.list generator +│ └── 00_20_first_boot_update.sh +├── 10_system/ +│ ├── 10_00_hostname_timezone.sh +│ ├── 10_10_ntp_chrony.conf +│ ├── 10_20_dns_resolved.conf +│ └── 10_30_sysctl_hardening.conf +├── 20_identity/ +│ ├── 20_00_users_groups.yml # Ansible / plain YAML for loop +│ ├── 20_10_sudoers.d/ # one file per rule +│ ├── 20_20_sshd_config_fragment.conf +│ └── 20_30_authorized_keys/ # keys by username +├── 30_storage/ +│ ├── 30_00_luks_btrfs_subvols.sh +│ ├── 30_10_lvm_thinpool.sh +│ ├── 30_20_fstab_mounts.conf +│ └── 30_30_zram_generator.conf +├── 40_packages/ +│ ├── 40_00_sources_list_debian.sh +│ ├── 40_10_essential_packages.lst +│ ├── 40_20_backports_pin.pref +│ └── 40_30_flatpak_remote.sh +├── 50_services/ +│ ├── 50_00_unit_templates/ +│ │ ├── backup@.service +│ │ └── podman@.service +│ └── 50_10_enable_units.sh # systemctl preset-all helper +├── 60_runtime/ +│ ├── 60_00_nginx_sites/ +│ ├── 60_10_postgres_conf.d/ +│ ├── 60_20_logrotate_d/ +│ └── 60_30_cron_dropins/ +├── 70_performance/ +│ ├── 70_00_cgroup_v2_enable.sh +│ ├── 70_10_cpu_governor.sh +│ ├── 70_20_irqbalance_ban.conf +│ └── 70_30_tuned_profile.conf +├── 80_security/ +│ ├── 80_00_nftables_rules.nft +│ ├── 80_10_fail2ban_jail.local +│ ├── 80_20_apparmor_profiles/ +│ └── 80_30_aide_daily.timer +└── 90_local/ + ├── 90_00_site_overrides.sh + └── 99_zz_last_minute_fix.sh +``` + +Minimal glue to wire it together + +1. Create `/etc/linux-decades/apply.sh`: + ```bash + #!/bin/bash + set -euo pipefail + for d in /etc/linux-decades/*/; do + for f in "$d"*; do + [[ -x "$f" ]] && "$f" + done + done + ``` + Make it executable. + Run once at first boot, or from a systemd one-shot. + +2. One-shot systemd unit (`/etc/systemd/system/decades-apply.service`): + ``` + [Unit] + Description=Apply decade-scheme configuration + ConditionPathExists=!/var/lib/decades-applied.stamp + + [Service] + Type=oneshot + ExecStart=/etc/linux-decades/apply.sh + ExecStartPost=/bin/touch /var/lib/decades-applied.stamp + RemainAfterExit=yes + ``` + Enable it so first boot only triggers once. + +3. Optional `debconf` integration + Use `db_get`/`db_set` in decade-00 scripts if you want fully unattended installs. + +Golden rules (to keep it “perfect”) + +• Filenames **must** start with their decade prefix (`00_`, `10_`, …). +• Every executable script must be idempotent (safe to run twice). +• Non-executable snippets (`.conf`, `.d/` drop-ins) are copied or symlinked by a small helper in the same decade directory. +• Never put anything in `90_local/` that you expect to keep—treat it as a parking lot for today’s emergency patch. + +Drop this tree into Git, clone to any new Debian box, run `apply.sh`, and your decade scheme is live. \ No newline at end of file