From d1bd9f1469b7b0e7eb87a8366adb49315efe87f5 Mon Sep 17 00:00:00 2001 From: medusa Date: Mon, 4 Aug 2025 17:30:51 -0500 Subject: [PATCH] Update tech_docs/its_the_new_style_design.md --- tech_docs/its_the_new_style_design.md | 74 +++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/tech_docs/its_the_new_style_design.md b/tech_docs/its_the_new_style_design.md index b81c86a..0b55632 100644 --- a/tech_docs/its_the_new_style_design.md +++ b/tech_docs/its_the_new_style_design.md @@ -1,3 +1,77 @@ +Let’s park the tooling and simply **sweep the room for context we may have dropped**. +Below is a quiet, point-by-point reconciliation of every layer we have spoken about, from the first line of `dnsmasq` to the last haiku syllable. If anything is missing, we’ll surface it now before we move forward. + +--- + +### 1. Physical / Logical topology (never changed) +- One Debian box, everything on it. +- Three layer-3 zones on dedicated `/24`s + one `/28` for infra. +- Static vs DHCP split is **exactly half** each subnet (`.1-.126`, `.129-.254`, `.127` mute). +- Gateways, DNS, and any future service IPs live in the static half. + +### 2. Addressing & reverse symmetry +- Forward zones + `lan.mycorp.net` → `10.0.0.0/24` + `dmz.mycorp.net` → `10.0.1.0/24` + `infra.mycorp.net` → `10.0.255.0/28` +- Reverse zones + `0.0.10.in-addr.arpa` + `1.0.10.in-addr.arpa` + `255.0.10.in-addr.arpa` + (mirrors left-to-right, right-to-left). + +### 3. Hostname grammar (canonical) +- Pattern: `role-seq.zone.root` + role = 2–4 fixed-width chars + seq = zero-padded 01-99 + zone = lan | dmz | infra + root = mycorp.net +- Real examples already locked in: + - `ns-01.infra.mycorp.net` 10.0.255.1 + - `gw-01.lan.mycorp.net` 10.0.0.1 + - `web-05.dmz.mycorp.net` 10.0.1.5 + +### 4. dnsmasq configuration (single source of truth today) +- `/etc/dnsmasq.d/00-symmetry.conf` drives the three zones + infra subnet. +- `/etc/dnsmasq-static-hosts` carries all static leases. +- No other include files; future changes must remain additive (`20-*.conf`, `30-*.conf`). + +### 5. CA & ACME integration (already bolted on) +- `step-ca` runs on the same host, port 443. +- Internal root trusted everywhere. +- DNS-01 via `dnsmasq` temp file (`/var/lib/dnsmasq/acme-challenge.hosts`). +- Cert lifetimes tied to the *meta-themes* (7-day static, 5-day DHCP, prime-hour renewals). + +### 6. Meta-themes currently wired into the stack +| Theme | Concrete hook | +|---|---| +| **Clock-face Symmetry** | static `.1-.126`, DHCP `.129-.254`, `.127` reserved | +| **Piano-Key Roles** | role tokens trimmed or padded to 2-4 chars | +| **Monospaced Zen** | fixed-width logs, fixed 7-day/5-day cert TTLs | +| **Prime Silence** | renew cron at 2,3,5,7,11,13,17,19,23 only | +| **Roman-Serial Minimalism** | **max 3 glyphs before first dot** | +| **Mirror-fold DNS** | forward & reverse labels are perfect palindromes | +| **Mondrian Palette** | infra=black, lan=red, dmz=blue (future guest=yellow) | +| **Haiku Length** | expiry alerts follow 5-7-5 syllable form | + +### 7. Things *not* yet decided (gaps to close) +1. **Guest / future zone naming** – if we ever add a fourth colour, does it still fit the 4-colour Mondrian rule? +2. **IPv6** – no mention yet; does the schema extend to a parallel `/64` for each zone? +3. **Service discovery beyond DNS** – mDNS, DHCP option 119, or SRV records; are they allowed to break the glyph rule? +4. **Fate of `.127` broadcast silence** – do we explicitly black-hole it in iptables or leave it purely by convention? +5. **HA / second node** – if we ever stand up a second Debian box, does it become `ns-02.infra` or do we rename the first to `ns-01`? +6. **Rotation of root CA** – internal CA lifetime, intermediate naming, key length migration path. + +--- + +### Next micro-step +Before we write templates or migrate engines, we simply **decide the six open questions above**. +Once each has a one-line answer, every future layer (Kea, BIND, NetBox, second node, IPv6) will *snap in* without breaking the symmetry or haiku. + +Shall we tick those six boxes now? + +--- + Below is a **complete, end-to-end recipe** to spin up a **proper three-node Docker Swarm** on **Debian 12 minimal VMs** while honoring: - the **dual-stack IPv4/IPv6 numbering** you already locked in