the_information_nexus/tech_docs/single-box.md

Low-hanging fruit that **fit the symmetry aesthetic** and **cost ≤ 1 extra binary / 1 config file each**:

## 🧩 **Core Services (≤ 1 binary / ≤ 1 file)**

| # | Service | One-line install | Single-file config snippet |
|---|---------|------------------|----------------------------|
| 1 | **NTP + PTP** | `apt install chrony` | `/etc/chrony/chrony.conf` ➜ `allow 10.0.0.0/16` |
| 2 | **Central syslog** | `apt install rsyslog` | `/etc/rsyslog.d/10-remote.conf` ➜ `*.* @@ns.infra.mycorp.net:514` |
| 3 | **mDNS repeater** | `apt install avahi-daemon` | `/etc/avahi/avahi-daemon.conf` ➜ `enable-reflector=yes` |
| 4 | **TFTP / PXE** | *(none)* | `/etc/dnsmasq.d/30-pxe.conf` ➜ `dhcp-option=66,10.0.255.1` |
| 5 | **WireGuard hub** | `apt install wireguard` | `/etc/wireguard/wg0.conf` *(single key pair)* |
| 6 | **Prometheus exporter** | `apt install prometheus-node-exporter` | *(none)* |
| 7 | **ZTP for switches** | *(reuse TFTP)* | `/etc/dnsmasq.d/40-ztp.conf` ➜ `dhcp-match=set:ztp,…` |
| 8 | **Split-horizon DNS** | `apt install unbound` | `/etc/unbound/unbound.conf.d/20-split.conf` |
| 9 | **APT cache** | `apt install apt-cacher-ng` | `/etc/apt-cacher-ng/zzz-custom.conf` ➜ `PassThroughPattern: .*` |
|10 | **NetBox inventory** | `docker run -d -p 8000:8080 netboxcommunity/netbox` | *(container = config)* |
|11 | **Git-ops configs** | `apt install etckeeper` | `/etc/etckeeper/etckeeper.conf` |
|12 | **802.1X wired auth** | `apt install hostapd` | `/etc/hostapd/wired.conf` |
|13 | **Firmware mirror** | `apt install rsync` | systemd timer drop-in |
|14 | **Internal pastebin** | `docker run -d -p 7777:7777 haste-server` | *(container = config)* |
|15 | **Internal ACME CA** | `step ca init …` | `/etc/step-ca/config/ca.json` |
|16 | **Phone VLAN via DHCP opt 43** | *(none)* | `/etc/dnsmasq.d/50-voip.conf` |
|17 | **Tiny IPAM (phpipam)** | `docker run … phpipam` | nginx location block |
|18 | **DNS sinkhole** | `curl -sSL https://install.pi-hole.net | bash` | `/etc/pihole/setupVars.conf` |

---

1. NTP + PTP (time symmetry)  
   ```
   apt install chrony
   echo "allow 10.0.0.0/16" >> /etc/chrony/chrony.conf
   systemctl enable --now chrony
   ```
   Clients in every subnet now get the *same* stratum-1 time source (`ns.infra.mycorp.net`).

2. Central syslog + logrotate (single pane)  
   ```
   apt install rsyslog
   echo '*.info @@ns.infra.mycorp.net:514' >> /etc/rsyslog.d/10-remote.conf
   systemctl restart rsyslog
   ```
   One file, logs flow to the host itself—no extra daemons.

3. mDNS repeater (Bonjour across VLANs)  
   ```
   apt install avahi-daemon avahi-utils
   sed -i 's/#enable-reflector=no/enable-reflector=yes/' /etc/avahi/avahi-daemon.conf
   systemctl enable --now avahi-daemon
   ```
   Ensures `printer-01.lan.mycorp.net` is discoverable from `dmz.mycorp.net`.

4. TFTP/PXE “boot farm” (one-line DHCP option)  
   Add to `/etc/dnsmasq.d/30-pxe.conf`:
   ```
   dhcp-option=66,10.0.255.1   # TFTP server
   dhcp-option=67,pxelinux.0
   ```
   Net-install any OS from the same box.

5. WireGuard hub (one interface, one key pair)  
   ```
   apt install wireguard
   wg genkey | tee /etc/wireguard/wg0.key | wg pubkey > /etc/wireguard/wg0.pub
   ```
   Tunnel address: `10.254.0.0/24` (mirrors `10.0.x.0/24` pattern).  
   Add peer configs via a **single** `/etc/wireguard/wg0.conf`.

6. Prometheus node exporter (metrics symmetry)  
   ```
   apt install prometheus-node-exporter
   systemctl enable --now prometheus-node-exporter
   ```
   Metrics reachable at `http://ns.infra.mycorp.net:9100/metrics`.

Below is a **lightweight, copy-paste-ready** cheat-sheet that keeps the **cost ≤ 1 extra binary *or* 1 extra config file** rule.  
Everything is grouped by *single-line install* and *single-file config* so you can mix-and-match as your “infra-core” grows.

---

## 🛠️ **Drop-in snippets**

```bash
# 1-liner to add any snippet above
sudo curl -fsSL https://gist.githubusercontent.com/you/abc123/raw/add-chrony.sh | bash
```

All snippets follow the **same directory layout** so you can commit the entire `/etc/infra.d/*.conf` tree to Git (via etckeeper) and roll back with `git checkout`.

---

### 19. **Real-time structural-monitoring MQTT bus**  
**Binary:** `apt install mosquitto`  
**Config:** `/etc/mosquitto/conf.d/10-bridge.conf`  
```
connection ns
address ns.infra.mycorp.net
topic # both 0
```
Attach cheap ESP32-based vibration sensors to any bridge/rack; data is instantly bridged to the central broker for Grafana alerts with zero custom code .

---

### 20. **NetBird overlay network (Zero-config VPN mesh)**  
**Binary:**  
```
curl -fsSL https://get.netbird.io/install.sh | sh
```  
**Config:** `/etc/netbird/config.json` (auto-generated on `netbird up --setup-key …`)  
Gives every node a stable 100.64.0.0/10 address and WireGuard-grade crypto without managing keys or firewall rules.

---

### 21. **Single-binary DERP map for Tailscale / Headscale**  
**Binary:** none (built into `tailscale`)  
**Config:** `/etc/headscale/derp.yaml`  
```
regions:
  900:
    regionid: 900
    regioncode: "infra"
    nodes:
      - name: ns
        regionid: 900
        ipv4: 10.0.255.1
```
Provides an internal relay when direct WireGuard hole-punch fails.

---

### 22. **OSQuery fleet launcher**  
**Binary:** `apt install osquery`  
**Config:** `/etc/osquery/osquery.conf` (single JSON file)  
```
{
  "schedule": {
    "listen_ports": {"query": "select * from listening_ports;", "interval": 300}
  }
}
```
Ship logs to the central syslog server already running on `ns.infra.mycorp.net`.

---

### 23. **Immutable firmware OSTree mirror**  
**Binary:** `apt install ostree`  
**Config:** systemd timer drop-in `/etc/systemd/system/ostree-mirror.timer`  
```
[Timer]
OnCalendar=Sat 02:00
```
Keeps a versioned `/srv/ostree` mirror of Fedora CoreOS / Ubuntu Core images for zero-touch edge rollbacks.

---

### 24. **Kuma / Uptime-Kuma “infra pulse”**  
**Binary:** `docker run -d -p 3001:3001 louislam/uptime-kuma`  
**Config:** web UI export → `/srv/kuma/config.json` (one click restore)  
Monitors internal DNS, WireGuard gateways, and PXE endpoints from the same box.

---

### 25. **Local LLM “help-desk” API**  
**Binary:**  
```
docker run -d -p 8000:8000 --name ollama ollama/ollama
docker exec ollama ollama pull llama3.2
```  
**Config:** single API call to `http://ns.infra.mycorp.net:8000/api/generate` gives chat-ops answers about your internal infra docs.

---

### 26. **SBOM & vuln-scanning pipeline**  
**Binary:** `apt install syft grype`  
**Config:** nightly systemd service `/etc/systemd/system/sbom-scan.service`  
```
[Service]
Type=oneshot
ExecStart=/usr/bin/syft /var/lib/docker -o json | /usr/bin/grype
```
Results land in the same syslog endpoint.

---

### 27. **Geo-replicated S3-compatible “cold” storage**  
**Binary:** `docker run -d -p 9000:9000 -p 9001:9001 minio/minio server /data --console-address ":9001"`  
**Config:** single env file `/etc/default/minio`  
```
MINIO_ROOT_USER=admin
MINIO_ROOT_PASSWORD=infraPass
```
Mount `/srv/backup` for immutable backups of WireGuard keys, NetBox DB, etc.

---

### 28. **AI-driven energy-optimiser for server racks**  
**Binary:** `apt install influxdb2 telegraf`  
**Config:** `/etc/telegraf/telegraf.conf` (one input + one output)  
```
[[inputs.ipmi_sensor]]
[[outputs.influxdb_v2]]
  urls = ["http://ns.infra.mycorp.net:8086"]
```
Grafana AI plugin suggests fan-curve tweaks that cut power 8–12 % .

---

### 29. **Single-sign-on portal (SSO)**  
**Binary:** `docker run -d -p 9000:9000 authelia/authelia`  
**Config:** `/config/configuration.yml` (single YAML) gives LDAP-less 2-factor auth in front of NetBox, Uptime-Kuma, phpIPAM, etc.

---

### 30. **Satellite imagery coastal-watch cron**  
**Binary:** `apt install aws-cli`  
**Config:** `/etc/systemd/system/coastal-watch.service`  
```
[Service]
Type=oneshot
ExecStart=aws s3 sync s3://sentinel-s2-l2a /srv/sat --no-sign-request --include "*T10*/*B02.jp2"
```
Feed into the same MQTT bus (#19) for AI flood-risk scoring .

---