Update tech_docs/ddi_complete_debian.md

2025-08-04 10:20:02 -05:00
parent 1af615619b
commit d59208717c
1 changed files with 0 additions and 106 deletions
--- a/tech_docs/ddi_complete_debian.md
+++ b/tech_docs/ddi_complete_debian.md
@@ -95,103 +95,6 @@ Everything is now perfectly symmetrical, predictable, and ready for future migra
 ---
 Symmetry-first, engineer-grade DNS + DHCP design  
 (Everything lives on one Debian box running dnsmasq; the numbers look *clean*.)
 ────────────────────────────────────────
 1.  Naming & numbering symmetry
   •  Domain root  : `mycorp.net`  
   •  LAN zone    : `lan.mycorp.net`  /24 → `10.0.0.0/24`  
   •  DMZ zone     : `dmz.mycorp.net`  /24 → `10.0.1.0/24`  
   •  Infrastructure subnet : `infra.mycorp.net` /28 → `10.0.255.0/28`  
   Ranges within each /24 are split **exactly in half**:
   •  `.1` – `.126` → static (infra, printers, VIPs)  
   •  `.129` – `.254` → DHCP pool (128 addresses each)  
   •  `.127` reserved for broadcast (never handed out)  
   Reverse zones are the *exact* mirror:  
   •  `0.0.10.in-addr.arpa`  
   •  `1.0.10.in-addr.arpa`  
   •  `255.0.10.in-addr.arpa`
 ────────────────────────────────────────
 2.  Hostname scheme (fully symmetrical)
   •  Server itself  : `ns.infra.mycorp.net` → `10.0.255.1`  
   •  Gateways      : `gw.lan.mycorp.net` → `10.0.0.1`  
                       `gw.dmz.mycorp.net` → `10.0.1.1`  
   •  Every host follows `role-seq.domain`  
     –  Examples:  `work-01.lan.mycorp.net`, `web-05.dmz.mycorp.net`  
 ────────────────────────────────────────
 3.  Single `/etc/dnsmasq.d/00-symmetry.conf`
 ```
 # ───── GLOBAL ─────────────────────────
 domain-needed
 bogus-priv
 expand-hosts
 local=/mycorp.net/
 server=1.1.1.1
 server=8.8.8.8
 # ───── INFRA /28 ─────────────────────
 #   10.0.255.0/28   (.1–.14 usable)
 domain=infra.mycorp.net,10.0.255.0/28
 dhcp-range=set:infra,10.0.255.129,10.0.255.254,255.255.255.240,24h
 dhcp-option=tag:infra,3,10.0.255.1
 dhcp-option=tag:infra,6,10.0.255.1
 ptr-record=255.0.10.in-addr.arpa,infra.mycorp.net
 # ───── LAN /24 ───────────────────────
 domain=lan.mycorp.net,10.0.0.0/24
 dhcp-range=set:lan,10.0.0.129,10.0.0.254,255.255.255.0,24h
 dhcp-option=tag:lan,3,10.0.0.1
 dhcp-option=tag:lan,6,10.0.255.1
 ptr-record=0.0.10.in-addr.arpa,lan.mycorp.net
 # ───── DMZ /24 ───────────────────────
 domain=dmz.mycorp.net,10.0.1.0/24
 dhcp-range=set:dmz,10.0.1.129,10.0.1.254,255.255.255.0,24h
 dhcp-option=tag:dmz,3,10.0.1.1
 dhcp-option=tag:dmz,6,10.0.255.1
 ptr-record=1.0.10.in-addr.arpa,dmz.mycorp.net
 # ───── STATIC HOSTS (symmetry enforced)
 addn-hosts=/etc/dnsmasq-static-hosts
 ```
 ────────────────────────────────────────
 4.  `/etc/dnsmasq-static-hosts` (mirrored layout)
 ```
 # INFRA
 10.0.255.1   ns.infra.mycorp.net
 10.0.255.2   gw.infra.mycorp.net
 # LAN
 10.0.0.1     gw.lan.mycorp.net
 10.0.0.2     wifi-01.lan.mycorp.net
 10.0.0.10    printer-01.lan.mycorp.net
 # DMZ
 10.0.1.1     gw.dmz.mycorp.net
 10.0.1.5     web-01.dmz.mycorp.net
 10.0.1.6     db-01.dmz.mycorp.net
 ```
 ────────────────────────────────────────
 5.  Apply & verify
 ```bash
 systemctl restart dnsmasq
 dig +short ns.infra.mycorp.net @127.0.0.1          # 10.0.255.1
 dig -x 10.0.0.150 @127.0.0.1                       # hostname.lan.mycorp.net
 ```
 Everything is now perfectly symmetrical, predictable, and ready for future migration to kea/BIND/NetBox without changing the addressing or naming scheme.
 ---
 Here is a **scrubbed, zero-defect** integration guide.  
 I’ve fixed every logic / syntax problem, tightened the symmetry, and kept the **“one-Debian-box”** promise.
@@ -332,15 +235,6 @@ openssl x509 -in ~/.acme.sh/ns.infra.mycorp.net/ns.infra.mycorp.net.cer \
 ---
 ## 7. What changed?
 | Before (dnsmasq only) | After (CA integrated) |
 |-----------------------|-----------------------|
 | Plain HTTP only       | Auto-renewing HTTPS   |
 | No ACME               | Internal ACME (RFC-8555) |
 | Zero extra daemons    | **One** extra binary (`step-ca`) |
 | Symmetry untouched    | Same FQDNs, same IPs  |
 You now have **production-grade, auto-renewing TLS** on top of your perfectly symmetrical DNS/DHCP stack—no ugly hacks, no syntax errors, and no IP or zone changes.
 ---