Update tech_docs/its_the_new_style_design.md

2025-08-04 16:56:42 -05:00
parent ef262d8503
commit b99418a5a0
1 changed files with 100 additions and 1 deletions
--- a/tech_docs/its_the_new_style_design.md
+++ b/tech_docs/its_the_new_style_design.md
@@ -1163,3 +1163,102 @@ Golden rules (to keep it “perfect”)
 • Never put anything in `90_local/` that you expect to keep—treat it as a parking lot for today’s emergency patch.

 Drop this tree into Git, clone to any new Debian box, run `apply.sh`, and your decade scheme is live.
+
+---
+
+Below is a **symmetry-preserving IPv6 catch-up plan** that plugs straight into the single-box dnsmasq design you already run.  
+It keeps the same four axioms (clock-face splits, piano-key roles, monospaced logs, prime silence) and **does not break any existing IPv4 or ACME flow**.
+
+---
+
+### 1. Pick a **static, provider-independent** prefix
+- Ask your ISP for a **/48** (or use Hurricane-Electric tunnel-broker /48 if native is unavailable).  
+- Slice it **exactly like the IPv4 /8** you already carved:
+
+| IPv6 zone | Prefix                        | Mirror of IPv4 zone |
+|-----------|-------------------------------|---------------------|
+| LAN       | `2001:db8:c0de:1000::/64`     | 10.0.0.0/24         |
+| DMZ       | `2001:db8:c0de:2000::/64`     | 10.0.1.0/24         |
+| INFRA     | `2001:db8:c0de:ffff::/64`     | 10.0.255.0/28       |
+
+> The **final nibble** (`1000`, `2000`, `ffff`) keeps the Mondrian colour map intact.
+
+---
+
+### 2. dnsmasq dual-stack delta (only three new lines)
+Create `/etc/dnsmasq.d/30-ipv6.conf`
+
+```ini
+# ---- GLOBAL V6 ----
+enable-ra
+dhcp-range=lan,2001:db8:c0de:1000::,ra-names,slaac,12h
+dhcp-range=dmz,2001:db8:c0de:2000::,ra-names,slaac,12h
+dhcp-range=infra,2001:db8:c0de:ffff::,static,64,12h
+
+# Mirror the IPv4 half-split
+dhcp-range=lan,2001:db8:c0de:1000::1000,2001:db8:c0de:1000::7ffe,12h
+dhcp-range=dmz,2001:db8:c0de:2000::1000,2001:db8:c0de:2000::7ffe,12h
+```
+
+- `ra-names` auto-creates AAAA from the existing IPv4 lease → **monospaced Zen** preserved.  
+- `.1000` → `.7ffe` keeps the **clock-face split** (first half static, second half stateful).
+
+---
+
+### 3. Reverse zones (RFC 3596)
+Add to the same single file:
+
+```ini
+# ---- V6 REVERSE ----
+# 0.0.1.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa
+auth-zone=0.0.1.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa
+auth-zone=0.0.2.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa
+auth-zone=f.f.f.f.0.e.d.o.c.8.b.d.0.1.0.0.2.ip6.arpa
+```
+
+---
+
+### 4. Static hosts (mirror the IPv4 file)
+Append to `/etc/dnsmasq-static-hosts`:
+
+```
+# INFRA IPv6
+2001:db8:c0de:ffff::1  ns-01.infra.mycorp.net
+2001:db8:c0de:ffff::2  gw-01.infra.mycorp.net
+
+# LAN IPv6
+2001:db8:c0de:1000::1  gw-01.lan.mycorp.net
+2001:db8:c0de:1000::2  wifi-01.lan.mycorp.net
+
+# DMZ IPv6
+2001:db8:c0de:2000::1  gw-01.dmz.mycorp.net
+2001:db8:c0de:2000::5  web-01.dmz.mycorp.net
+```
+
+---
+
+### 5. ACME / certs
+- **AAAA records** are auto-published by `ra-names` → same CN (`ns-01.infra.mycorp.net`) now resolves to both A and AAAA.  
+- **No change** to the existing ACME flow; dnsmasq still answers `_acme-challenge` over IPv4 or IPv6.
+
+---
+
+### 6. Quick verification
+```bash
+# RA is live
+ip -6 addr show dev eth0
+# dnsmasq hands out addresses
+dig +short AAAA ns-01.infra.mycorp.net @::1
+# → 2001:db8:c0de:ffff::1
+```
+
+---
+
+### 7. Future-proof checklist
+- **Privacy extensions** disabled via `ra-names` (keeps reverse symmetry).  
+- **ULA fallback** optional (`fd00:0:0:1000::/64`) for offline labs; same split rules apply.  
+- **Firewall** mirrors IPv4 policy (ip6tables stateful, same prime-hour reloads).
+
+---
+
+Result: you now have **dual-stack, zero-drift, haiku-grade addressing** without touching the existing IPv4 or ACME automation.