Update tech_docs/networking/iac_github_project.md

tech_docs/networking/iac_github_project.md

@@ -1,3 +1,112 @@
+────────────────────────────────────────────
+OPINIONATED, PRACTICAL GUIDE  
+“How to Ship the Right Config to Every ASR-1002 DMVPN Hub—Forever”
+────────────────────────────────────────────
+
+0. One-Sentence Rule  
+Policy (templates) never changes per box; Data (YAML) is the **only** thing that changes.
+
+1. Folder Layout (Lock This Down)  
+```
+config_components/
+├── core_settings/
+│   ├── 00_licensing.j2
+│   ├── 10_system_settings.j2
+│   └── 20_aaa.j2
+├── network_services/
+│   ├── 30_vlans.j2
+│   └── 40_routing.j2
+├── interfaces/
+│   ├── 50_port_profiles/
+│   │   ├── access_port.j2
+│   │   └── trunk_port.j2
+│   └── 60_interface_assignments.j2
+├── policies/
+│   ├── 70_qos.j2
+│   └── 80_access_lists.j2
+└── data/                 ← NEW.  One YAML file per box.
+    ├── site-01.yml
+    └── site-02.yml
+```
+
+2. Build the **Golden Templates** Once  
+• Each `.j2` file must compile without external context (`jinja2 template.j2 empty.yml`).  
+• Every literal becomes a variable: `{{ hostname }}`, `{{ ospf.rid }}`, etc.  
+• **No defaults in templates**—defaults live in YAML so you can override.
+
+3. One YAML Schema to Rule Them All  
+Use a single JSON Schema (`schema.yml`) enforced by CI (`yamllint`, `jsonschema`).  
+Example minimal record:
+
+```yaml
+hostname: "SITE01-ASR01"
+system:
+  license_level: "network-advantage"
+  domain_name: "example.net"
+  name_servers: ["1.1.1.1", "8.8.8.8"]
+  tz_name: "EST"
+  tz_offset: -5
+aaa:
+  tacacs_group: "GTAC"
+  tacacs_servers:
+    - { host: "10.1.1.1", key: "SECRET1" }
+    - { host: "10.1.1.2", key: "SECRET2" }
+interfaces:
+  Loopback0: { ip: "10.255.255.1/32" }
+  Tunnel1:
+    ip: "10.200.1.1/25"
+    tunnel_source: "Loopback0"
+routing:
+  ospf:
+    - pid: 1, rid: "10.255.255.1"
+  bgp:
+    as: 65400, rid: "10.255.255.1"
+```
+
+4. Render Pipeline (3 Commands)  
+```
+python -m venv venv && source venv/bin/activate
+pip install jinja2-cli yamllint jsonschema
+yamllint data/site-01.yml
+jsonschema -i data/site-01.yml schema.yml
+jinja2 templates/compile.j2 data/site-01.yml > site-01.cfg
+```
+Add `compile.j2` at the root (just concatenates all component templates in order).
+
+5. CI/CD Guardrails  
+• **Pre-commit hooks**: lint YAML, render dry-run, diff against Git.  
+• **Master branch = templates only**; **Pull requests = new YAML files**.  
+• **Pipeline** auto-pushes rendered configs to Nornir/Napalm for diff/commit.
+
+6. Mandatory Defaults File  
+Create `data/defaults.yml` with sane global values.  
+Each site YAML does a deep-merge (`{{ defaults | combine(site, recursive=True) }}`).  
+This prevents “forgotten variables” and keeps templates small.
+
+7. Secrets Handling  
+• Never hard-code.  
+• Use `ansible-vault`, Hashicorp Vault, or GitHub Actions Secrets; inject at render time via environment variables: `{{ lookup('env', 'TACACS_KEY') }}`.
+
+8. Naming Conventions  
+• YAML keys = snake_case (`tacacs_servers`).  
+• Interface keys = canonical name (`GigabitEthernet0/0/0`).  
+• Profile names = short, descriptive (`access_port`, `trunk_port`).  
+• Template order = `00_*`, `10_*`, … so concatenation is deterministic.
+
+9. Upgrade Path  
+Future platform (NCS-5k, IOS-XR, etc.)?  
+Copy `config_components` → `config_components_ncs/`, tweak templates.  
+Data YAML remains **unchanged**; only add new keys if new features required.
+
+10. Single Source of Truth  
+One YAML → renders → diff → commit.  
+If it’s not in YAML, it does **not** exist.  
+End of story.
+
+Follow the checklist above and you will never again hand-craft a DMVPN hub config.
+
+---
+
 Below is the **sanitized, pseudocode-style** view of every functional knob an ASR-1002 DMVPN head-end needs—**no literals, no opinionated values**.  
 Each bullet is a **config option** you can turn on/off or fill-in later.  
 Think of it as a checklist you hand to an engineer who will decide the actual values.