Low-hanging fruit that **fit the symmetry aesthetic** and **cost ≤ 1 extra binary / 1 config file each**: ## 🧩 **Core Services (≤ 1 binary / ≤ 1 file)** | # | Service | One-line install | Single-file config snippet | |---|---------|------------------|----------------------------| | 1 | **NTP + PTP** | `apt install chrony` | `/etc/chrony/chrony.conf` ➜ `allow 10.0.0.0/16` | | 2 | **Central syslog** | `apt install rsyslog` | `/etc/rsyslog.d/10-remote.conf` ➜ `*.* @@ns.infra.mycorp.net:514` | | 3 | **mDNS repeater** | `apt install avahi-daemon` | `/etc/avahi/avahi-daemon.conf` ➜ `enable-reflector=yes` | | 4 | **TFTP / PXE** | *(none)* | `/etc/dnsmasq.d/30-pxe.conf` ➜ `dhcp-option=66,10.0.255.1` | | 5 | **WireGuard hub** | `apt install wireguard` | `/etc/wireguard/wg0.conf` *(single key pair)* | | 6 | **Prometheus exporter** | `apt install prometheus-node-exporter` | *(none)* | | 7 | **ZTP for switches** | *(reuse TFTP)* | `/etc/dnsmasq.d/40-ztp.conf` ➜ `dhcp-match=set:ztp,…` | | 8 | **Split-horizon DNS** | `apt install unbound` | `/etc/unbound/unbound.conf.d/20-split.conf` | | 9 | **APT cache** | `apt install apt-cacher-ng` | `/etc/apt-cacher-ng/zzz-custom.conf` ➜ `PassThroughPattern: .*` | |10 | **NetBox inventory** | `docker run -d -p 8000:8080 netboxcommunity/netbox` | *(container = config)* | |11 | **Git-ops configs** | `apt install etckeeper` | `/etc/etckeeper/etckeeper.conf` | |12 | **802.1X wired auth** | `apt install hostapd` | `/etc/hostapd/wired.conf` | |13 | **Firmware mirror** | `apt install rsync` | systemd timer drop-in | |14 | **Internal pastebin** | `docker run -d -p 7777:7777 haste-server` | *(container = config)* | |15 | **Internal ACME CA** | `step ca init …` | `/etc/step-ca/config/ca.json` | |16 | **Phone VLAN via DHCP opt 43** | *(none)* | `/etc/dnsmasq.d/50-voip.conf` | |17 | **Tiny IPAM (phpipam)** | `docker run … phpipam` | nginx location block | |18 | **DNS sinkhole** | `curl -sSL https://install.pi-hole.net | bash` | `/etc/pihole/setupVars.conf` | --- 1. NTP + PTP (time symmetry) ``` apt install chrony echo "allow 10.0.0.0/16" >> /etc/chrony/chrony.conf systemctl enable --now chrony ``` Clients in every subnet now get the *same* stratum-1 time source (`ns.infra.mycorp.net`). 2. Central syslog + logrotate (single pane) ``` apt install rsyslog echo '*.info @@ns.infra.mycorp.net:514' >> /etc/rsyslog.d/10-remote.conf systemctl restart rsyslog ``` One file, logs flow to the host itself—no extra daemons. 3. mDNS repeater (Bonjour across VLANs) ``` apt install avahi-daemon avahi-utils sed -i 's/#enable-reflector=no/enable-reflector=yes/' /etc/avahi/avahi-daemon.conf systemctl enable --now avahi-daemon ``` Ensures `printer-01.lan.mycorp.net` is discoverable from `dmz.mycorp.net`. 4. TFTP/PXE “boot farm” (one-line DHCP option) Add to `/etc/dnsmasq.d/30-pxe.conf`: ``` dhcp-option=66,10.0.255.1 # TFTP server dhcp-option=67,pxelinux.0 ``` Net-install any OS from the same box. 5. WireGuard hub (one interface, one key pair) ``` apt install wireguard wg genkey | tee /etc/wireguard/wg0.key | wg pubkey > /etc/wireguard/wg0.pub ``` Tunnel address: `10.254.0.0/24` (mirrors `10.0.x.0/24` pattern). Add peer configs via a **single** `/etc/wireguard/wg0.conf`. 6. Prometheus node exporter (metrics symmetry) ``` apt install prometheus-node-exporter systemctl enable --now prometheus-node-exporter ``` Metrics reachable at `http://ns.infra.mycorp.net:9100/metrics`. Below is a **lightweight, copy-paste-ready** cheat-sheet that keeps the **cost ≤ 1 extra binary *or* 1 extra config file** rule. Everything is grouped by *single-line install* and *single-file config* so you can mix-and-match as your “infra-core” grows. --- ## 🛠️ **Drop-in snippets** ```bash # 1-liner to add any snippet above sudo curl -fsSL https://gist.githubusercontent.com/you/abc123/raw/add-chrony.sh | bash ``` All snippets follow the **same directory layout** so you can commit the entire `/etc/infra.d/*.conf` tree to Git (via etckeeper) and roll back with `git checkout`. --- ### 19. **Real-time structural-monitoring MQTT bus** **Binary:** `apt install mosquitto` **Config:** `/etc/mosquitto/conf.d/10-bridge.conf` ``` connection ns address ns.infra.mycorp.net topic # both 0 ``` Attach cheap ESP32-based vibration sensors to any bridge/rack; data is instantly bridged to the central broker for Grafana alerts with zero custom code . --- ### 20. **NetBird overlay network (Zero-config VPN mesh)** **Binary:** ``` curl -fsSL https://get.netbird.io/install.sh | sh ``` **Config:** `/etc/netbird/config.json` (auto-generated on `netbird up --setup-key …`) Gives every node a stable 100.64.0.0/10 address and WireGuard-grade crypto without managing keys or firewall rules. --- ### 21. **Single-binary DERP map for Tailscale / Headscale** **Binary:** none (built into `tailscale`) **Config:** `/etc/headscale/derp.yaml` ``` regions: 900: regionid: 900 regioncode: "infra" nodes: - name: ns regionid: 900 ipv4: 10.0.255.1 ``` Provides an internal relay when direct WireGuard hole-punch fails. --- ### 22. **OSQuery fleet launcher** **Binary:** `apt install osquery` **Config:** `/etc/osquery/osquery.conf` (single JSON file) ``` { "schedule": { "listen_ports": {"query": "select * from listening_ports;", "interval": 300} } } ``` Ship logs to the central syslog server already running on `ns.infra.mycorp.net`. --- ### 23. **Immutable firmware OSTree mirror** **Binary:** `apt install ostree` **Config:** systemd timer drop-in `/etc/systemd/system/ostree-mirror.timer` ``` [Timer] OnCalendar=Sat 02:00 ``` Keeps a versioned `/srv/ostree` mirror of Fedora CoreOS / Ubuntu Core images for zero-touch edge rollbacks. --- ### 24. **Kuma / Uptime-Kuma “infra pulse”** **Binary:** `docker run -d -p 3001:3001 louislam/uptime-kuma` **Config:** web UI export → `/srv/kuma/config.json` (one click restore) Monitors internal DNS, WireGuard gateways, and PXE endpoints from the same box. --- ### 25. **Local LLM “help-desk” API** **Binary:** ``` docker run -d -p 8000:8000 --name ollama ollama/ollama docker exec ollama ollama pull llama3.2 ``` **Config:** single API call to `http://ns.infra.mycorp.net:8000/api/generate` gives chat-ops answers about your internal infra docs. --- ### 26. **SBOM & vuln-scanning pipeline** **Binary:** `apt install syft grype` **Config:** nightly systemd service `/etc/systemd/system/sbom-scan.service` ``` [Service] Type=oneshot ExecStart=/usr/bin/syft /var/lib/docker -o json | /usr/bin/grype ``` Results land in the same syslog endpoint. --- ### 27. **Geo-replicated S3-compatible “cold” storage** **Binary:** `docker run -d -p 9000:9000 -p 9001:9001 minio/minio server /data --console-address ":9001"` **Config:** single env file `/etc/default/minio` ``` MINIO_ROOT_USER=admin MINIO_ROOT_PASSWORD=infraPass ``` Mount `/srv/backup` for immutable backups of WireGuard keys, NetBox DB, etc. --- ### 28. **AI-driven energy-optimiser for server racks** **Binary:** `apt install influxdb2 telegraf` **Config:** `/etc/telegraf/telegraf.conf` (one input + one output) ``` [[inputs.ipmi_sensor]] [[outputs.influxdb_v2]] urls = ["http://ns.infra.mycorp.net:8086"] ``` Grafana AI plugin suggests fan-curve tweaks that cut power 8–12 % . --- ### 29. **Single-sign-on portal (SSO)** **Binary:** `docker run -d -p 9000:9000 authelia/authelia` **Config:** `/config/configuration.yml` (single YAML) gives LDAP-less 2-factor auth in front of NetBox, Uptime-Kuma, phpIPAM, etc. --- ### 30. **Satellite imagery coastal-watch cron** **Binary:** `apt install aws-cli` **Config:** `/etc/systemd/system/coastal-watch.service` ``` [Service] Type=oneshot ExecStart=aws s3 sync s3://sentinel-s2-l2a /srv/sat --no-sign-request --include "*T10*/*B02.jp2" ``` Feed into the same MQTT bus (#19) for AI flood-risk scoring . ---