Low-hanging fruit that **fit the symmetry aesthetic** and **cost ≤ 1 extra binary / 1 config file each**:

1. NTP + PTP (time symmetry)  
   ```
   apt install chrony
   echo "allow 10.0.0.0/16" >> /etc/chrony/chrony.conf
   systemctl enable --now chrony
   ```
   Clients in every subnet now get the *same* stratum-1 time source (`ns.infra.mycorp.net`).

2. Central syslog + logrotate (single pane)  
   ```
   apt install rsyslog
   echo '*.info @@ns.infra.mycorp.net:514' >> /etc/rsyslog.d/10-remote.conf
   systemctl restart rsyslog
   ```
   One file, logs flow to the host itself—no extra daemons.

3. mDNS repeater (Bonjour across VLANs)  
   ```
   apt install avahi-daemon avahi-utils
   sed -i 's/#enable-reflector=no/enable-reflector=yes/' /etc/avahi/avahi-daemon.conf
   systemctl enable --now avahi-daemon
   ```
   Ensures `printer-01.lan.mycorp.net` is discoverable from `dmz.mycorp.net`.

4. TFTP/PXE “boot farm” (one-line DHCP option)  
   Add to `/etc/dnsmasq.d/30-pxe.conf`:
   ```
   dhcp-option=66,10.0.255.1   # TFTP server
   dhcp-option=67,pxelinux.0
   ```
   Net-install any OS from the same box.

5. WireGuard hub (one interface, one key pair)  
   ```
   apt install wireguard
   wg genkey | tee /etc/wireguard/wg0.key | wg pubkey > /etc/wireguard/wg0.pub
   ```
   Tunnel address: `10.254.0.0/24` (mirrors `10.0.x.0/24` pattern).  
   Add peer configs via a **single** `/etc/wireguard/wg0.conf`.

6. Prometheus node exporter (metrics symmetry)  
   ```
   apt install prometheus-node-exporter
   systemctl enable --now prometheus-node-exporter
   ```
   Metrics reachable at `http://ns.infra.mycorp.net:9100/metrics`.

Pick **any two** without breaking the “single-box, single-file” rule.