Update tech_docs/its_the_new_style_design.md

2025-08-04 16:56:42 -05:00
parent ef262d8503
commit b99418a5a0
1 changed files with 100 additions and 1 deletions
--- a/tech_docs/its_the_new_style_design.md
+++ b/tech_docs/its_the_new_style_design.md
@@ -1163,3 +1163,102 @@ Golden rules (to keep it “perfect”)
 • Never put anything in `90_local/` that you expect to keep—treat it as a parking lot for today’s emergency patch.
 Drop this tree into Git, clone to any new Debian box, run `apply.sh`, and your decade scheme is live.
 ---
 Below is a **symmetry-preserving IPv6 catch-up plan** that plugs straight into the single-box dnsmasq design you already run.  
 It keeps the same four axioms (clock-face splits, piano-key roles, monospaced logs, prime silence) and **does not break any existing IPv4 or ACME flow**.
 ---
 ### 1. Pick a **static, provider-independent** prefix
 - Ask your ISP for a **/48** (or use Hurricane-Electric tunnel-broker /48 if native is unavailable).  
 - Slice it **exactly like the IPv4 /8** you already carved:
 | IPv6 zone | Prefix                        | Mirror of IPv4 zone |
 |-----------|-------------------------------|---------------------|
 | LAN       | `2001:db8:c0de:1000::/64`     | 10.0.0.0/24         |
 | DMZ       | `2001:db8:c0de:2000::/64`     | 10.0.1.0/24         |
 | INFRA     | `2001:db8:c0de:ffff::/64`     | 10.0.255.0/28       |
 > The **final nibble** (`1000`, `2000`, `ffff`) keeps the Mondrian colour map intact.
 ---
 ### 2. dnsmasq dual-stack delta (only three new lines)
 Create `/etc/dnsmasq.d/30-ipv6.conf`
 ```ini
 # ---- GLOBAL V6 ----
 enable-ra
 dhcp-range=lan,2001:db8:c0de:1000::,ra-names,slaac,12h
 dhcp-range=dmz,2001:db8:c0de:2000::,ra-names,slaac,12h
 dhcp-range=infra,2001:db8:c0de:ffff::,static,64,12h
 # Mirror the IPv4 half-split
 dhcp-range=lan,2001:db8:c0de:1000::1000,2001:db8:c0de:1000::7ffe,12h
 dhcp-range=dmz,2001:db8:c0de:2000::1000,2001:db8:c0de:2000::7ffe,12h
 ```
 - `ra-names` auto-creates AAAA from the existing IPv4 lease → **monospaced Zen** preserved.  
 - `.1000` → `.7ffe` keeps the **clock-face split** (first half static, second half stateful).
 ---
 ### 3. Reverse zones (RFC 3596)
 Add to the same single file:
 ```ini
 # ---- V6 REVERSE ----
 # 0.0.1.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa
 auth-zone=0.0.1.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa
 auth-zone=0.0.2.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa
 auth-zone=f.f.f.f.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa
 ```
 ---
 ### 4. Static hosts (mirror the IPv4 file)
 Append to `/etc/dnsmasq-static-hosts`:
 ```
 # INFRA IPv6
 2001:db8:c0de:ffff::1  ns-01.infra.mycorp.net
 2001:db8:c0de:ffff::2  gw-01.infra.mycorp.net
 # LAN IPv6
 2001:db8:c0de:1000::1  gw-01.lan.mycorp.net
 2001:db8:c0de:1000::2  wifi-01.lan.mycorp.net
 # DMZ IPv6
 2001:db8:c0de:2000::1  gw-01.dmz.mycorp.net
 2001:db8:c0de:2000::5  web-01.dmz.mycorp.net
 ```
 ---
 ### 5. ACME / certs
 - **AAAA records** are auto-published by `ra-names` → same CN (`ns-01.infra.mycorp.net`) now resolves to both A and AAAA.  
 - **No change** to the existing ACME flow; dnsmasq still answers `_acme-challenge` over IPv4 or IPv6.
 ---
 ### 6. Quick verification
 ```bash
 # RA is live
 ip -6 addr show dev eth0
 # dnsmasq hands out addresses
 dig +short AAAA ns-01.infra.mycorp.net @::1
 # → 2001:db8:c0de:ffff::1
 ```
 ---
 ### 7. Future-proof checklist
 - **Privacy extensions** disabled via `ra-names` (keeps reverse symmetry).  
 - **ULA fallback** optional (`fd00:0:0:1000::/64`) for offline labs; same split rules apply.  
 - **Firewall** mirrors IPv4 policy (ip6tables stateful, same prime-hour reloads).
 ---
 Result: you now have **dual-stack, zero-drift, haiku-grade addressing** without touching the existing IPv4 or ACME automation.