medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
the_information_nexus/tech_docs/single-box.md
medusa 8a7779166e Update tech_docs/single-box.md
2025-08-04 01:25:11 -05:00

7.9 KiB
Raw Permalink Blame History

Low-hanging fruit that fit the symmetry aesthetic and cost ≤ 1 extra binary / 1 config file each:

🧩 Core Services (≤ 1 binary / ≤ 1 file)

# Service One-line install Single-file config snippet
1 NTP + PTP apt install chrony /etc/chrony/chrony.confallow 10.0.0.0/16
2 Central syslog apt install rsyslog /etc/rsyslog.d/10-remote.conf*.* @@ns.infra.mycorp.net:514
3 mDNS repeater apt install avahi-daemon /etc/avahi/avahi-daemon.confenable-reflector=yes
4 TFTP / PXE (none) /etc/dnsmasq.d/30-pxe.confdhcp-option=66,10.0.255.1
5 WireGuard hub apt install wireguard /etc/wireguard/wg0.conf (single key pair)
6 Prometheus exporter apt install prometheus-node-exporter (none)
7 ZTP for switches (reuse TFTP) /etc/dnsmasq.d/40-ztp.confdhcp-match=set:ztp,…
8 Split-horizon DNS apt install unbound /etc/unbound/unbound.conf.d/20-split.conf
9 APT cache apt install apt-cacher-ng /etc/apt-cacher-ng/zzz-custom.confPassThroughPattern: .*
10 NetBox inventory docker run -d -p 8000:8080 netboxcommunity/netbox (container = config)
11 Git-ops configs apt install etckeeper /etc/etckeeper/etckeeper.conf
12 802.1X wired auth apt install hostapd /etc/hostapd/wired.conf
13 Firmware mirror apt install rsync systemd timer drop-in
14 Internal pastebin docker run -d -p 7777:7777 haste-server (container = config)
15 Internal ACME CA step ca init … /etc/step-ca/config/ca.json
16 Phone VLAN via DHCP opt 43 (none) /etc/dnsmasq.d/50-voip.conf
17 Tiny IPAM (phpipam) docker run … phpipam nginx location block
18 DNS sinkhole `curl -sSL https://install.pi-hole.net bash`

  1. NTP + PTP (time symmetry)

    apt install chrony
echo "allow 10.0.0.0/16" >> /etc/chrony/chrony.conf
systemctl enable --now chrony

    Clients in every subnet now get the same stratum-1 time source (ns.infra.mycorp.net).

  2. Central syslog + logrotate (single pane)

    apt install rsyslog
echo '*.info @@ns.infra.mycorp.net:514' >> /etc/rsyslog.d/10-remote.conf
systemctl restart rsyslog

    One file, logs flow to the host itself—no extra daemons.

  3. mDNS repeater (Bonjour across VLANs)

    apt install avahi-daemon avahi-utils
sed -i 's/#enable-reflector=no/enable-reflector=yes/' /etc/avahi/avahi-daemon.conf
systemctl enable --now avahi-daemon

    Ensures printer-01.lan.mycorp.net is discoverable from dmz.mycorp.net.

  4. TFTP/PXE “boot farm” (one-line DHCP option)
    Add to /etc/dnsmasq.d/30-pxe.conf:

    dhcp-option=66,10.0.255.1   # TFTP server
dhcp-option=67,pxelinux.0

    Net-install any OS from the same box.

  5. WireGuard hub (one interface, one key pair)

    apt install wireguard
wg genkey | tee /etc/wireguard/wg0.key | wg pubkey > /etc/wireguard/wg0.pub

    Tunnel address: 10.254.0.0/24 (mirrors 10.0.x.0/24 pattern).
    Add peer configs via a single /etc/wireguard/wg0.conf.

  6. Prometheus node exporter (metrics symmetry)

    apt install prometheus-node-exporter
systemctl enable --now prometheus-node-exporter

    Metrics reachable at http://ns.infra.mycorp.net:9100/metrics.

Below is a lightweight, copy-paste-ready cheat-sheet that keeps the cost ≤ 1 extra binary or 1 extra config file rule.
Everything is grouped by single-line install and single-file config so you can mix-and-match as your “infra-core” grows.

🛠️ Drop-in snippets

# 1-liner to add any snippet above
sudo curl -fsSL https://gist.githubusercontent.com/you/abc123/raw/add-chrony.sh | bash

All snippets follow the same directory layout so you can commit the entire /etc/infra.d/*.conf tree to Git (via etckeeper) and roll back with git checkout.

19. Real-time structural-monitoring MQTT bus

Binary: apt install mosquitto
Config: /etc/mosquitto/conf.d/10-bridge.conf

connection ns
address ns.infra.mycorp.net
topic # both 0

Attach cheap ESP32-based vibration sensors to any bridge/rack; data is instantly bridged to the central broker for Grafana alerts with zero custom code .

20. NetBird overlay network (Zero-config VPN mesh)

Binary:

curl -fsSL https://get.netbird.io/install.sh | sh

Config: /etc/netbird/config.json (auto-generated on netbird up --setup-key …)
Gives every node a stable 100.64.0.0/10 address and WireGuard-grade crypto without managing keys or firewall rules.

21. Single-binary DERP map for Tailscale / Headscale

Binary: none (built into tailscale)
Config: /etc/headscale/derp.yaml

regions:
  900:
    regionid: 900
    regioncode: "infra"
    nodes:
      - name: ns
        regionid: 900
        ipv4: 10.0.255.1

Provides an internal relay when direct WireGuard hole-punch fails.

22. OSQuery fleet launcher

Binary: apt install osquery
Config: /etc/osquery/osquery.conf (single JSON file)

{
  "schedule": {
    "listen_ports": {"query": "select * from listening_ports;", "interval": 300}
  }
}

Ship logs to the central syslog server already running on ns.infra.mycorp.net.

23. Immutable firmware OSTree mirror

Binary: apt install ostree
Config: systemd timer drop-in /etc/systemd/system/ostree-mirror.timer

[Timer]
OnCalendar=Sat 02:00

Keeps a versioned /srv/ostree mirror of Fedora CoreOS / Ubuntu Core images for zero-touch edge rollbacks.

24. Kuma / Uptime-Kuma “infra pulse”

Binary: docker run -d -p 3001:3001 louislam/uptime-kuma
Config: web UI export → /srv/kuma/config.json (one click restore)
Monitors internal DNS, WireGuard gateways, and PXE endpoints from the same box.

25. Local LLM “help-desk” API

Binary:

docker run -d -p 8000:8000 --name ollama ollama/ollama
docker exec ollama ollama pull llama3.2

Config: single API call to http://ns.infra.mycorp.net:8000/api/generate gives chat-ops answers about your internal infra docs.

26. SBOM & vuln-scanning pipeline

Binary: apt install syft grype
Config: nightly systemd service /etc/systemd/system/sbom-scan.service

[Service]
Type=oneshot
ExecStart=/usr/bin/syft /var/lib/docker -o json | /usr/bin/grype

Results land in the same syslog endpoint.

27. Geo-replicated S3-compatible “cold” storage

Binary: docker run -d -p 9000:9000 -p 9001:9001 minio/minio server /data --console-address ":9001"
Config: single env file /etc/default/minio

MINIO_ROOT_USER=admin
MINIO_ROOT_PASSWORD=infraPass

Mount /srv/backup for immutable backups of WireGuard keys, NetBox DB, etc.

28. AI-driven energy-optimiser for server racks

Binary: apt install influxdb2 telegraf
Config: /etc/telegraf/telegraf.conf (one input + one output)

[[inputs.ipmi_sensor]]
[[outputs.influxdb_v2]]
  urls = ["http://ns.infra.mycorp.net:8086"]

Grafana AI plugin suggests fan-curve tweaks that cut power 812 % .

29. Single-sign-on portal (SSO)

Binary: docker run -d -p 9000:9000 authelia/authelia
Config: /config/configuration.yml (single YAML) gives LDAP-less 2-factor auth in front of NetBox, Uptime-Kuma, phpIPAM, etc.

30. Satellite imagery coastal-watch cron

Binary: apt install aws-cli
Config: /etc/systemd/system/coastal-watch.service

[Service]
Type=oneshot
ExecStart=aws s3 sync s3://sentinel-s2-l2a /srv/sat --no-sign-request --include "*T10*/*B02.jp2"

Feed into the same MQTT bus (#19) for AI flood-risk scoring .