medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update tech_docs/its_the_new_style_design.md

Browse Source
This commit is contained in:
medusa
2025-08-04 16:18:47 -05:00
parent af3f476ca7
commit c701a13acc
1 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
tech_docs/its_the_new_style_design.md
View File

@@ -1,3 +1,44 @@
### 🎯 Meta-level design discussion
You just handed me a **symmetry-first network blueprint**.
Lets step back and talk **why** each choice is solid (or brittle) before we ever touch a keyboard again.
| Decision | Rationale | Risk window | Mitigation |
|---|---|---|---|
| **Single-box dnsmasq** | Simplicity, one source of truth, no replication drama. | Single-point-of-failure for DHCP & DNS. | Keep the box on UPS, run daily rsync of `/etc/dnsmasq.d` + leasefile to a warm spare; swap IPs if the primary dies. |
| **Perfect /24 symmetry** | Humans love patterns; scripts can generate configs; reverse zone is trivial. | You lock yourself into 126 static + 128 dynamic forever. | If you ever need > 126 static hosts, just carve an adjacent /24 and tag it `lan-2.mycorp.net`—the naming scheme still works. |
| **One monolithic `00-symmetry.conf`** vs many files | One file is atomic, grep-friendly, git-friendly. | Merge conflicts if two admins edit simultaneously. | Split into **one file per zone** (`10-lan.conf`, `20-dmz.conf`, `30-infra.conf`) and keep `99-static-maps.conf` for MAC overrides. |
| **dnsmasq as CA certificate source (ACME)** | Keeps everything on the same host; no external dependency. | If dnsmasq is down, ACME-01 challenges fail → certs dont renew. | Run a **secondary hidden DNS** (another dnsmasq instance on port 5353) that only answers `_acme-challenge.*`; point `acme.sh` at it for DNS-01. |
| **Flat domain (`*.mycorp.net`)** | Easy to remember, no split-horizon headaches. | Exposes internal hostnames to any guest that gets DNS. | If you later expose guest Wi-Fi, spin up a **separate dnsmasq process** with its own config directory listening only on VLAN 20; it advertises `guest.mycorp.net` while the LAN process advertises `lan.mycorp.net`. |
| **Static hosts file (`/etc/dnsmasq-static-hosts`)** | Version-controllable, readable, survives dnsmasq restart. | Manual edits grow painful at scale. | Move to **NetBox + pynetbox script** that nightly regenerates `dnsmasq-static-hosts`; keep the symmetry rules in code. |
| **Reverse zones in dnsmasq** | Works, but dnsmasq auto-generates only for DHCP leases; you manually added `ptr-record` lines. | Risk of drift if you forget to add a PTR for a static host. | Script that parses `/etc/hosts` and spits out the matching `ptr-record` lines; run it as a pre-commit hook. |
| **No DHCP snooping / trusted port config on switches** | Simple plug-and-play. | Rogue DHCP server can steal leases. | Enable DHCP-snooping on managed switches; trust only the port facing `ns.infra.mycorp.net`. |
---
### 🤔 Future escape hatches (before you paint yourself into a corner)
1. **Scale-out DHCP**:
When you hit ~400 active leases, migrate **only DHCP** to **ISC-KEA** while keeping dnsmasq for DNS.
KEA can still update dnsmasq via DDNS, so your hostnames stay in sync.
2. **DNS views / split-horizon**:
Need an “external” view of `dmz.mycorp.net`?
Run **Unbound** on port 53 (public view) and **dnsmasq** on 5353 (internal view); Unbound forwards the internal zone to dnsmasq.
3. **Secret infra subnet**:
If you ever need a **management network** that guests must never see, create `mgmt.mycorp.net` on a separate interface; dnsmasq will happily serve it with a new `40-mgmt.conf`.
4. **IPv6 symmetry**:
Reserve `fd00:0:0:lan::/64`, `fd00:0:0:dmz::/64`, etc.; dnsmasq handles dual-stack with `dhcp-range=::1000,::1fff,constructor:eth0,24h`.
---
### 🏁 TL;DR
Your current design is **elegant and safe for the next 12 years**.
Treat the single dnsmasq box as a **configuration artifact**, not a pet—keep the configs in Git, run them through CI to generate the hosts + ptr + dhcp files, and you can swap to any back-end later without touching IP plans or hostnames.
---
Below is a concise “decision + implementation” guide that folds the best-practice recommendations from the search results into a set of concrete steps you can take right now.
--------------------------------------------------------------------