Add tech_docs/its_the_new_style_design.md

2025-08-04 16:06:24 -05:00
parent 51257b1ce1
commit 9559ac5a56
1 changed files with 96 additions and 0 deletions
--- a/tech_docs/its_the_new_style_design.md
+++ b/tech_docs/its_the_new_style_design.md
@@ -0,0 +1,96 @@
+Below is a single, opinionated, **Debian-only** decade scheme that you can clone into `/etc/linux-decades/` (or keep in Git and symlink).  
+Everything is pure Debian tooling—`apt`, `debconf`, `systemd`, `sysctl.d`, `sudoers.d`, `nftables`, etc.—no network-centric artifacts.
+
+Directory layout (drop-in ready):
+
+```
+/etc/linux-decades/
+├── 00_bootstrap/
+│   ├── 00_00_installer_seed.cfg          # preseed / cloud-init
+│   ├── 00_10_register_debian_mirror.sh   # sources.list generator
+│   └── 00_20_first_boot_update.sh
+├── 10_system/
+│   ├── 10_00_hostname_timezone.sh
+│   ├── 10_10_ntp_chrony.conf
+│   ├── 10_20_dns_resolved.conf
+│   └── 10_30_sysctl_hardening.conf
+├── 20_identity/
+│   ├── 20_00_users_groups.yml          # Ansible / plain YAML for loop
+│   ├── 20_10_sudoers.d/                # one file per rule
+│   ├── 20_20_sshd_config_fragment.conf
+│   └── 20_30_authorized_keys/          # keys by username
+├── 30_storage/
+│   ├── 30_00_luks_btrfs_subvols.sh
+│   ├── 30_10_lvm_thinpool.sh
+│   ├── 30_20_fstab_mounts.conf
+│   └── 30_30_zram_generator.conf
+├── 40_packages/
+│   ├── 40_00_sources_list_debian.sh
+│   ├── 40_10_essential_packages.lst
+│   ├── 40_20_backports_pin.pref
+│   └── 40_30_flatpak_remote.sh
+├── 50_services/
+│   ├── 50_00_unit_templates/
+│   │   ├── backup@.service
+│   │   └── podman@.service
+│   └── 50_10_enable_units.sh          # systemctl preset-all helper
+├── 60_runtime/
+│   ├── 60_00_nginx_sites/
+│   ├── 60_10_postgres_conf.d/
+│   ├── 60_20_logrotate_d/
+│   └── 60_30_cron_dropins/
+├── 70_performance/
+│   ├── 70_00_cgroup_v2_enable.sh
+│   ├── 70_10_cpu_governor.sh
+│   ├── 70_20_irqbalance_ban.conf
+│   └── 70_30_tuned_profile.conf
+├── 80_security/
+│   ├── 80_00_nftables_rules.nft
+│   ├── 80_10_fail2ban_jail.local
+│   ├── 80_20_apparmor_profiles/
+│   └── 80_30_aide_daily.timer
+└── 90_local/
+    ├── 90_00_site_overrides.sh
+    └── 99_zz_last_minute_fix.sh
+```
+
+Minimal glue to wire it together
+
+1. Create `/etc/linux-decades/apply.sh`:
+   ```bash
+   #!/bin/bash
+   set -euo pipefail
+   for d in /etc/linux-decades/*/; do
+       for f in "$d"*; do
+           [[ -x "$f" ]] && "$f"
+       done
+   done
+   ```
+   Make it executable.  
+   Run once at first boot, or from a systemd one-shot.
+
+2. One-shot systemd unit (`/etc/systemd/system/decades-apply.service`):
+   ```
+   [Unit]
+   Description=Apply decade-scheme configuration
+   ConditionPathExists=!/var/lib/decades-applied.stamp
+
+   [Service]
+   Type=oneshot
+   ExecStart=/etc/linux-decades/apply.sh
+   ExecStartPost=/bin/touch /var/lib/decades-applied.stamp
+   RemainAfterExit=yes
+   ```
+   Enable it so first boot only triggers once.
+
+3. Optional `debconf` integration  
+   Use `db_get`/`db_set` in decade-00 scripts if you want fully unattended installs.
+
+Golden rules (to keep it “perfect”)
+
+• Filenames **must** start with their decade prefix (`00_`, `10_`, …).  
+• Every executable script must be idempotent (safe to run twice).  
+• Non-executable snippets (`.conf`, `.d/` drop-ins) are copied or symlinked by a small helper in the same decade directory.  
+• Never put anything in `90_local/` that you expect to keep—treat it as a parking lot for today’s emergency patch.
+
+Drop this tree into Git, clone to any new Debian box, run `apply.sh`, and your decade scheme is live.