From 9bed5d163c8ea85a9541b8763bbc7d50a1481156 Mon Sep 17 00:00:00 2001
From: medusa <newton214@gmail.com>
Date: Sat, 2 Aug 2025 13:35:33 -0500
Subject: [PATCH] Add tech_docs/networking/iac_github_project.md

---
 tech_docs/networking/iac_github_project.md | 319 +++++++++++++++++++++
 1 file changed, 319 insertions(+)
 create mode 100644 tech_docs/networking/iac_github_project.md

diff --git a/tech_docs/networking/iac_github_project.md b/tech_docs/networking/iac_github_project.md
new file mode 100644
index 0000000..89c0e48
--- /dev/null
+++ b/tech_docs/networking/iac_github_project.md
@@ -0,0 +1,319 @@
+Below is the **sanitized, pseudocode-style** view of every functional knob an ASR-1002 DMVPN head-end needs—**no literals, no opinionated values**.  
+Each bullet is a **config option** you can turn on/off or fill-in later.  
+Think of it as a checklist you hand to an engineer who will decide the actual values.
+
+--------------------------------------------------------
+GLOBAL / SYSTEM
+--------------------------------------------------------
+- set hostname                       → string
+- set boot system flash image        → filename
+- set config-register                → hex
+- set enable secret hash             → encrypted-secret
+- set clock timezone / summer-time   → zone offset [summer-rules]
+- set ip domain-name                 → fqdn
+- set ip name-servers                → list<ip>
+- set logging buffered size          → bytes
+- set logging console | monitor      → level
+- set logging hosts                  → list<ip> [transport udp/tcp port]
+
+--------------------------------------------------------
+AAA
+--------------------------------------------------------
+- aaa new-model
+- aaa group server tacacs+
+  - server-private ip key
+- aaa authentication login default   → [local | group tacacs | line]
+- aaa authorization commands 15      → [local | group tacacs]
+- aaa accounting commands 15         → [start-stop | none] group tacacs
+- local username / privilege / secret
+
+--------------------------------------------------------
+VRFs
+--------------------------------------------------------
+- vrf definition <name>
+  - rd <rd>
+  - address-family [ipv4 | ipv6]
+
+--------------------------------------------------------
+CRYPTO
+--------------------------------------------------------
+- crypto keyring <name> vrf <vrf>
+  - pre-shared-key address ip key
+- crypto isakmp policy <id>
+  - encr [3des | aes]
+  - auth [pre-share | rsa-sig]
+  - group [2 | 5 | 14]
+- crypto ipsec transform-set <name>
+  - [esp-3des | esp-aes] [esp-md5 | esp-sha-hmac]
+  - mode [tunnel | transport]
+- crypto ipsec profile <name>
+  - set transform-set <name>
+  - set pfs | idle-time | lifetime
+
+--------------------------------------------------------
+TUNNEL / DMVPN
+--------------------------------------------------------
+- interface Tunnel<id>
+  - ip address / mask
+  - tunnel source [interface | ip]
+  - tunnel mode gre multipoint
+  - tunnel key <int>
+  - tunnel vrf <vrf>
+  - tunnel protection ipsec profile <name>
+  - ip nhrp network-id <int>
+  - ip nhrp authentication <string>
+  - ip nhrp map multicast dynamic
+  - ip nhrp server-only | nhs | redirect | shortcut
+  - ip tcp adjust-mss <int>
+  - qos pre-classify
+  - service-policy output <policy>
+
+--------------------------------------------------------
+ROUTING – OSPF
+--------------------------------------------------------
+- router ospf <pid> [vrf <vrf>]
+  - router-id <ip>
+  - auto-cost reference-bandwidth <mbps>
+  - passive-interface default
+  - network <prefix> <wildcard> area <area>
+  - area <area> authentication message-digest
+  - interface ip ospf message-digest-key <key-id> md5 <key>
+
+--------------------------------------------------------
+ROUTING – BGP
+--------------------------------------------------------
+- router bgp <asn>
+  - bgp router-id <ip>
+  - bgp log-neighbor-changes
+  - neighbor <ip | peer-group> remote-as <asn>
+  - neighbor <ip> description <text>
+  - neighbor <ip> ebgp-multihop <ttl>
+  - neighbor <ip> update-source <interface>
+  - neighbor <ip> password <string>
+  - bgp listen range <prefix> peer-group <pg>
+  - address-family ipv4
+    - neighbor <ip> activate
+    - neighbor <ip> route-reflector-client
+    - neighbor <ip> next-hop-self [all]
+    - neighbor <ip> default-originate
+    - neighbor <ip> soft-reconfiguration inbound
+    - neighbor <ip> route-map <in|out> <name>
+    - network <prefix> mask <mask>
+
+--------------------------------------------------------
+QOS
+--------------------------------------------------------
+- class-map <match-any | match-all> <name>
+  - match [access-group | dscp | protocol | …]
+- policy-map <name>
+  - class <name>
+    - priority percent <int>
+    - bandwidth remaining percent <int>
+    - shape average <bps>
+    - queue-limit <packets>
+    - random-detect dscp-based
+- service-policy [input | output] <policy>
+
+--------------------------------------------------------
+ACL / PREFIX / COMMUNITY LISTS
+--------------------------------------------------------
+- access-list <num|name> [standard | extended] [permit | deny] <rule>
+- ip prefix-list <name> seq <num> permit/deny <prefix> [ge | le]
+- ip community-list [standard | expanded] <name> [permit | deny] <regex>
+
+--------------------------------------------------------
+SNMP
+--------------------------------------------------------
+- snmp-server community <name> [ro | rw] [acl]
+- snmp-server group <name> v3 [auth | priv] [read | write] <view>
+- snmp-server user <user> <group> v3 auth sha <key> priv aes 128 <key>
+- snmp-server host <ip> traps version 3 …
+- snmp-server location <text>
+- snmp-server contact <text>
+- snmp-server enable traps … (list of trap types)
+
+--------------------------------------------------------
+INTERFACES (GENERIC)
+--------------------------------------------------------
+- interface <type num>
+  - description <text>
+  - ip address <ip> <mask> [secondary]
+  - vrf forwarding <vrf>
+  - mtu <bytes>
+  - ip flow [ingress | egress]
+  - service-policy [input | output] <policy>
+  - ip ospf cost | hello-interval | dead-interval
+  - channel-group <num> mode [active | passive | on]
+  - speed / duplex / negotiation
+  - shutdown | no shutdown
+
+--------------------------------------------------------
+MISCELLANEOUS
+--------------------------------------------------------
+- ip route [vrf <vrf>] <dest> <mask> <next-hop>
+- ip sla <num> [icmp-echo | tcp-connect | udp-jitter] …
+- ip sla schedule <num> life forever start-time now
+- control-plane service-policy input <policy>
+- line con 0 / line vty 0 15
+  - password <string>
+  - exec-timeout <min> <sec>
+  - transport input [ssh | telnet | none]
+
+Keep this checklist handy—fill in the blanks with real values only when you build the YAML for a specific box.
+
+---
+
+Below is a **minimal, reusable skeleton** that drops straight into  
+`config_components/` and cleanly separates **policy** from **data**,  
+while leaving every literal as a variable.
+
+You can copy-paste these empty “placeholders” into the filenames shown;  
+they already contain **only the functional knobs** (pseudocode).
+
+--------------------------------------------------------
+core_settings/00_licensing.j2
+```
+{# License boot level or Smart-Call-Home declarations #}
+license boot level {{ license_level | default('network-advantage') }}
+```
+
+core_settings/10_system_settings.j2
+```
+hostname {{ hostname }}
+service password-encryption
+service timestamps debug datetime msec
+service timestamps log datetime msec
+ip domain-name {{ domain_name }}
+{% for ns in name_servers %}
+ip name-server {{ ns }}
+{% endfor %}
+clock timezone {{ tz_name }} {{ tz_offset }}
+```
+
+core_settings/20_aaa.j2
+```
+aaa new-model
+!
+aaa group server tacacs+ {{ tacacs_group }}
+{% for srv in tacacs_servers %}
+ server-private {{ srv.host }} key {{ srv.key }}
+{% endfor %}
+!
+aaa authentication login default group {{ tacacs_group }} local
+aaa authorization exec default group {{ tacacs_group }} local
+aaa accounting commands 15 default start-stop group {{ tacacs_group }}
+```
+
+--------------------------------------------------------
+network_services/30_vlans.j2
+```
+{% for vlan in vlans %}
+vlan {{ vlan.id }}
+ name {{ vlan.name }}
+{% endfor %}
+```
+
+network_services/40_routing.j2
+```
+{% for instance in routing.ospf %}
+router ospf {{ instance.pid }}{% if instance.vrf %} vrf {{ instance.vrf }}{% endif %}
+ router-id {{ instance.rid }}
+{% for net in instance.networks %}
+ network {{ net.prefix }} {{ net.wc }} area {{ net.area }}
+{% endfor %}
+{% endfor %}
+
+{% if routing.bgp %}
+router bgp {{ routing.bgp.as }}
+ bgp router-id {{ routing.bgp.rid }}
+{% for neigh in routing.bgp.neighbors %}
+ neighbor {{ neigh.ip }} remote-as {{ neigh.as }}
+ neighbor {{ neigh.ip }} description {{ neigh.desc }}
+{% endfor %}
+ address-family ipv4
+{% for net in routing.bgp.networks %}
+  network {{ net.prefix }} mask {{ net.mask }}
+{% endfor %}
+{% for neigh in routing.bgp.neighbors %}
+  neighbor {{ neigh.ip }} activate
+{% endfor %}
+ exit-address-family
+{% endif %}
+```
+
+--------------------------------------------------------
+interfaces/50_port_profiles/access_port.j2
+```
+interface {{ port.name }}
+ description {{ port.desc | default('Access port') }}
+ switchport mode access
+ switchport access vlan {{ port.access_vlan }}
+ switchport nonegotiate
+ spanning-tree portfast
+{% if port.shutdown is defined and port.shutdown %}shutdown{% else %}no shutdown{% endif %}
+```
+
+interfaces/50_port_profiles/trunk_port.j2
+```
+interface {{ port.name }}
+ description {{ port.desc | default('Trunk port') }}
+ switchport mode trunk
+ switchport trunk native vlan {{ port.native_vlan }}
+ switchport trunk allowed vlan {{ port.allowed_vlans | join(',') }}
+ switchport nonegotiate
+{% if port.shutdown is defined and port.shutdown %}shutdown{% else %}no shutdown{% endif %}
+```
+
+interfaces/60_interface_assignments.j2
+```
+{% for port in interfaces %}
+{% set template = port.profile ~ '.j2' %}
+{% include 'interfaces/50_port_profiles/' + template %}
+{% endfor %}
+```
+
+--------------------------------------------------------
+policies/70_qos.j2
+```
+{% for cmap in qos.class_maps %}
+class-map {{ cmap.match_type }} {{ cmap.name }}
+{% for rule in cmap.rules %}
+ match {{ rule.type }} {{ rule.value }}
+{% endfor %}
+{% endfor %}
+!
+{% for pmap in qos.policy_maps %}
+policy-map {{ pmap.name }}
+{% for cls in pmap.classes %}
+ class {{ cls.name }}
+{% for action in cls.actions %}
+  {{ action.cmd }} {{ action.value | default('') }}
+{% endfor %}
+{% endfor %}
+{% endfor %}
+```
+
+policies/80_access_lists.j2
+```
+{% for acl in acls %}
+{% if acl.type == 'extended' %}
+ip access-list extended {{ acl.name }}
+{% else %}
+ip access-list standard {{ acl.name }}
+{% endif %}
+{% for rule in acl.rules %}
+ {{ rule.action }} {{ rule.text }}
+{% endfor %}
+{% endfor %}
+```
+
+--------------------------------------------------------
+USAGE (single command)
+--------------------------------------------------------
+```
+find config_components -name "*.j2" | sort | xargs cat \
+  | jinja2 -d site.yaml > final.cfg
+```
+
+- Each `.j2` file contains **only pseudocode variables**—no literals.  
+- Drop **real values** into `site.yaml` (or per-device YAML) and render.
\ No newline at end of file