diff --git a/tech_docs/ddi_complete_debian.md b/tech_docs/ddi_complete_debian.md index 4e41aef..223449b 100644 --- a/tech_docs/ddi_complete_debian.md +++ b/tech_docs/ddi_complete_debian.md @@ -95,103 +95,6 @@ Everything is now perfectly symmetrical, predictable, and ready for future migra --- -Symmetry-first, engineer-grade DNS + DHCP design -(Everything lives on one Debian box running dnsmasq; the numbers look *clean*.) - -──────────────────────────────────────── -1. Naming & numbering symmetry - • Domain root  : `mycorp.net` - • LAN zone    : `lan.mycorp.net`  /24 → `10.0.0.0/24` - • DMZ zone    : `dmz.mycorp.net`  /24 → `10.0.1.0/24` - • Infrastructure subnet : `infra.mycorp.net` /28 → `10.0.255.0/28` - - Ranges within each /24 are split **exactly in half**: - • `.1` – `.126` → static (infra, printers, VIPs) - • `.129` – `.254` → DHCP pool (128 addresses each) - • `.127` reserved for broadcast (never handed out) - - Reverse zones are the *exact* mirror: - • `0.0.10.in-addr.arpa` - • `1.0.10.in-addr.arpa` - • `255.0.10.in-addr.arpa` - -──────────────────────────────────────── -2. Hostname scheme (fully symmetrical) - • Server itself  : `ns.infra.mycorp.net` → `10.0.255.1` - • Gateways    : `gw.lan.mycorp.net` → `10.0.0.1` - `gw.dmz.mycorp.net` → `10.0.1.1` - • Every host follows `role-seq.domain` - – Examples: `work-01.lan.mycorp.net`, `web-05.dmz.mycorp.net` - -──────────────────────────────────────── -3. Single `/etc/dnsmasq.d/00-symmetry.conf` - -``` -# ───── GLOBAL ───────────────────────── -domain-needed -bogus-priv -expand-hosts -local=/mycorp.net/ -server=1.1.1.1 -server=8.8.8.8 - -# ───── INFRA /28 ───────────────────── -# 10.0.255.0/28 (.1–.14 usable) -domain=infra.mycorp.net,10.0.255.0/28 -dhcp-range=set:infra,10.0.255.129,10.0.255.254,255.255.255.240,24h -dhcp-option=tag:infra,3,10.0.255.1 -dhcp-option=tag:infra,6,10.0.255.1 -ptr-record=255.0.10.in-addr.arpa,infra.mycorp.net - -# ───── LAN /24 ─────────────────────── -domain=lan.mycorp.net,10.0.0.0/24 -dhcp-range=set:lan,10.0.0.129,10.0.0.254,255.255.255.0,24h -dhcp-option=tag:lan,3,10.0.0.1 -dhcp-option=tag:lan,6,10.0.255.1 -ptr-record=0.0.10.in-addr.arpa,lan.mycorp.net - -# ───── DMZ /24 ─────────────────────── -domain=dmz.mycorp.net,10.0.1.0/24 -dhcp-range=set:dmz,10.0.1.129,10.0.1.254,255.255.255.0,24h -dhcp-option=tag:dmz,3,10.0.1.1 -dhcp-option=tag:dmz,6,10.0.255.1 -ptr-record=1.0.10.in-addr.arpa,dmz.mycorp.net - -# ───── STATIC HOSTS (symmetry enforced) -addn-hosts=/etc/dnsmasq-static-hosts -``` - -──────────────────────────────────────── -4. `/etc/dnsmasq-static-hosts` (mirrored layout) - -``` -# INFRA -10.0.255.1 ns.infra.mycorp.net -10.0.255.2 gw.infra.mycorp.net - -# LAN -10.0.0.1 gw.lan.mycorp.net -10.0.0.2 wifi-01.lan.mycorp.net -10.0.0.10 printer-01.lan.mycorp.net - -# DMZ -10.0.1.1 gw.dmz.mycorp.net -10.0.1.5 web-01.dmz.mycorp.net -10.0.1.6 db-01.dmz.mycorp.net -``` - -──────────────────────────────────────── -5. Apply & verify -```bash -systemctl restart dnsmasq -dig +short ns.infra.mycorp.net @127.0.0.1 # 10.0.255.1 -dig -x 10.0.0.150 @127.0.0.1 # hostname.lan.mycorp.net -``` - -Everything is now perfectly symmetrical, predictable, and ready for future migration to kea/BIND/NetBox without changing the addressing or naming scheme. - ---- - Here is a **scrubbed, zero-defect** integration guide. I’ve fixed every logic / syntax problem, tightened the symmetry, and kept the **“one-Debian-box”** promise. @@ -332,15 +235,6 @@ openssl x509 -in ~/.acme.sh/ns.infra.mycorp.net/ns.infra.mycorp.net.cer \ --- -## 7. What changed? - -| Before (dnsmasq only) | After (CA integrated) | -|-----------------------|-----------------------| -| Plain HTTP only | Auto-renewing HTTPS | -| No ACME | Internal ACME (RFC-8555) | -| Zero extra daemons | **One** extra binary (`step-ca`) | -| Symmetry untouched | Same FQDNs, same IPs | - You now have **production-grade, auto-renewing TLS** on top of your perfectly symmetrical DNS/DHCP stack—no ugly hacks, no syntax errors, and no IP or zone changes. ---