Add tech_docs/single-box.md

tech_docs/single-box.md

@@ -0,0 +1,50 @@
+Low-hanging fruit that **fit the symmetry aesthetic** and **cost ≤ 1 extra binary / 1 config file each**:
+
+1. NTP + PTP (time symmetry)  
+   ```
+   apt install chrony
+   echo "allow 10.0.0.0/16" >> /etc/chrony/chrony.conf
+   systemctl enable --now chrony
+   ```
+   Clients in every subnet now get the *same* stratum-1 time source (`ns.infra.mycorp.net`).
+
+2. Central syslog + logrotate (single pane)  
+   ```
+   apt install rsyslog
+   echo '*.info @@ns.infra.mycorp.net:514' >> /etc/rsyslog.d/10-remote.conf
+   systemctl restart rsyslog
+   ```
+   One file, logs flow to the host itself—no extra daemons.
+
+3. mDNS repeater (Bonjour across VLANs)  
+   ```
+   apt install avahi-daemon avahi-utils
+   sed -i 's/#enable-reflector=no/enable-reflector=yes/' /etc/avahi/avahi-daemon.conf
+   systemctl enable --now avahi-daemon
+   ```
+   Ensures `printer-01.lan.mycorp.net` is discoverable from `dmz.mycorp.net`.
+
+4. TFTP/PXE “boot farm” (one-line DHCP option)  
+   Add to `/etc/dnsmasq.d/30-pxe.conf`:
+   ```
+   dhcp-option=66,10.0.255.1   # TFTP server
+   dhcp-option=67,pxelinux.0
+   ```
+   Net-install any OS from the same box.
+
+5. WireGuard hub (one interface, one key pair)  
+   ```
+   apt install wireguard
+   wg genkey | tee /etc/wireguard/wg0.key | wg pubkey > /etc/wireguard/wg0.pub
+   ```
+   Tunnel address: `10.254.0.0/24` (mirrors `10.0.x.0/24` pattern).  
+   Add peer configs via a **single** `/etc/wireguard/wg0.conf`.
+
+6. Prometheus node exporter (metrics symmetry)  
+   ```
+   apt install prometheus-node-exporter
+   systemctl enable --now prometheus-node-exporter
+   ```
+   Metrics reachable at `http://ns.infra.mycorp.net:9100/metrics`.
+
+Pick **any two** without breaking the “single-box, single-file” rule.