From b99418a5a0842fedd4a3ffba6d8bca0507565ecd Mon Sep 17 00:00:00 2001 From: medusa Date: Mon, 4 Aug 2025 16:56:42 -0500 Subject: [PATCH] Update tech_docs/its_the_new_style_design.md --- tech_docs/its_the_new_style_design.md | 101 +++++++++++++++++++++++++- 1 file changed, 100 insertions(+), 1 deletion(-) diff --git a/tech_docs/its_the_new_style_design.md b/tech_docs/its_the_new_style_design.md index 6e93608..1918f34 100644 --- a/tech_docs/its_the_new_style_design.md +++ b/tech_docs/its_the_new_style_design.md @@ -1162,4 +1162,103 @@ Golden rules (to keep it “perfect”) • Non-executable snippets (`.conf`, `.d/` drop-ins) are copied or symlinked by a small helper in the same decade directory. • Never put anything in `90_local/` that you expect to keep—treat it as a parking lot for today’s emergency patch. -Drop this tree into Git, clone to any new Debian box, run `apply.sh`, and your decade scheme is live. \ No newline at end of file +Drop this tree into Git, clone to any new Debian box, run `apply.sh`, and your decade scheme is live. + +--- + +Below is a **symmetry-preserving IPv6 catch-up plan** that plugs straight into the single-box dnsmasq design you already run. +It keeps the same four axioms (clock-face splits, piano-key roles, monospaced logs, prime silence) and **does not break any existing IPv4 or ACME flow**. + +--- + +### 1. Pick a **static, provider-independent** prefix +- Ask your ISP for a **/48** (or use Hurricane-Electric tunnel-broker /48 if native is unavailable). +- Slice it **exactly like the IPv4 /8** you already carved: + +| IPv6 zone | Prefix | Mirror of IPv4 zone | +|-----------|-------------------------------|---------------------| +| LAN | `2001:db8:c0de:1000::/64` | 10.0.0.0/24 | +| DMZ | `2001:db8:c0de:2000::/64` | 10.0.1.0/24 | +| INFRA | `2001:db8:c0de:ffff::/64` | 10.0.255.0/28 | + +> The **final nibble** (`1000`, `2000`, `ffff`) keeps the Mondrian colour map intact. + +--- + +### 2. dnsmasq dual-stack delta (only three new lines) +Create `/etc/dnsmasq.d/30-ipv6.conf` + +```ini +# ---- GLOBAL V6 ---- +enable-ra +dhcp-range=lan,2001:db8:c0de:1000::,ra-names,slaac,12h +dhcp-range=dmz,2001:db8:c0de:2000::,ra-names,slaac,12h +dhcp-range=infra,2001:db8:c0de:ffff::,static,64,12h + +# Mirror the IPv4 half-split +dhcp-range=lan,2001:db8:c0de:1000::1000,2001:db8:c0de:1000::7ffe,12h +dhcp-range=dmz,2001:db8:c0de:2000::1000,2001:db8:c0de:2000::7ffe,12h +``` + +- `ra-names` auto-creates AAAA from the existing IPv4 lease → **monospaced Zen** preserved. +- `.1000` → `.7ffe` keeps the **clock-face split** (first half static, second half stateful). + +--- + +### 3. Reverse zones (RFC 3596) +Add to the same single file: + +```ini +# ---- V6 REVERSE ---- +# 0.0.1.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa +auth-zone=0.0.1.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa +auth-zone=0.0.2.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa +auth-zone=f.f.f.f.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa +``` + +--- + +### 4. Static hosts (mirror the IPv4 file) +Append to `/etc/dnsmasq-static-hosts`: + +``` +# INFRA IPv6 +2001:db8:c0de:ffff::1 ns-01.infra.mycorp.net +2001:db8:c0de:ffff::2 gw-01.infra.mycorp.net + +# LAN IPv6 +2001:db8:c0de:1000::1 gw-01.lan.mycorp.net +2001:db8:c0de:1000::2 wifi-01.lan.mycorp.net + +# DMZ IPv6 +2001:db8:c0de:2000::1 gw-01.dmz.mycorp.net +2001:db8:c0de:2000::5 web-01.dmz.mycorp.net +``` + +--- + +### 5. ACME / certs +- **AAAA records** are auto-published by `ra-names` → same CN (`ns-01.infra.mycorp.net`) now resolves to both A and AAAA. +- **No change** to the existing ACME flow; dnsmasq still answers `_acme-challenge` over IPv4 or IPv6. + +--- + +### 6. Quick verification +```bash +# RA is live +ip -6 addr show dev eth0 +# dnsmasq hands out addresses +dig +short AAAA ns-01.infra.mycorp.net @::1 +# → 2001:db8:c0de:ffff::1 +``` + +--- + +### 7. Future-proof checklist +- **Privacy extensions** disabled via `ra-names` (keeps reverse symmetry). +- **ULA fallback** optional (`fd00:0:0:1000::/64`) for offline labs; same split rules apply. +- **Firewall** mirrors IPv4 policy (ip6tables stateful, same prime-hour reloads). + +--- + +Result: you now have **dual-stack, zero-drift, haiku-grade addressing** without touching the existing IPv4 or ACME automation. \ No newline at end of file