Building Infrastructure #
Deevnet uses a two-phase model for substrate provisioning. These procedures apply whether building new infrastructure, recovering from failure, or replacing hardware.
The Two-Phase Model #
Phase 1: Online Preparation #
A builder node with internet access stages all required artifacts to the internal artifact server. This happens proactively—before any build or recovery.
Staged artifacts include: OS install trees, ISOs, container images, SSH keys.
Phase 2: Offline Build #
With artifacts pre-staged, the bootstrap node can build the entire substrate without internet access. PXE boot pulls everything from local sources.
When These Procedures Apply #
| Scenario | Notes |
|---|---|
| Greenfield build | New infrastructure from scratch |
| Disaster recovery | Rebuild after failure |
| Hardware replacement | New hardware = new MAC addresses |
| Capacity expansion | Adding hosts to existing site |
In all cases, the process starts with seeding MAC addresses into inventory.
Stateless Substrate #
The substrate (Core Router, hypervisors, network infrastructure) is stateless. All configuration is defined in source control and applied via automation. No backup, restore, or data recovery is required for the substrate itself—just rebuild from scratch.
This means:
- No substrate snapshots or backups to maintain
- No state synchronization concerns
- Any host can be wiped and rebuilt at any time
- Hardware replacement is straightforward
Application tenants are different. Tenant workloads may have stateful data (databases, user files, etc.) that requires backup and recovery procedures. See Build Tenants for tenant-specific considerations.
Greenfield Build Sequence #
A complete build from scratch follows this sequence. Authority transitions and network segmentation are integrated steps — not separate procedures.
flowchart TD
A["1. Stage Artifacts
Fetch OS images, ISOs, SSH keys"]
B["2. Seed Inventory
MAC addresses, host definitions"]
C["3. Vault Operations
Decrypt secrets for automation"]
D["4. Configure PXE
make bootstrap-auth"]:::transition
E["5. Build Core Router
Manual OPNsense USB install"]:::manual
F["6. Build Network
VLANs, firewall, DHCP, wireless
make core-auth"]:::transition
G["7. Build Management Plane
PXE boot Proxmox hypervisors"]
H["8. Verify Site
Network, DNS, DHCP, PXE validation"]
I["9. Build Tenants
Provision application VMs"]
J["10. Verify Tenants
Application health checks"]
A --> B --> C --> D --> E --> F --> G --> H --> I --> J
classDef default fill:#2d333b,stroke:#539bf5,color:#adbac7
classDef transition fill:#1a3a1a,stroke:#57ab5a,color:#8ddb8c
classDef manual fill:#3d1f00,stroke:#d29922,color:#e6c068
Legend:
flowchart LR; T["Authority transition"]:::transition; M["Manual step"]:::manual; classDef transition fill:#1a3a1a,stroke:#57ab5a,color:#8ddb8c; classDef manual fill:#3d1f00,stroke:#d29922,color:#e6c068
Build Procedures #
Preparation #
- Stage Artifacts — Fetch artifacts from internet sources
- Seed Inventory — Define MAC addresses and host definitions
- Vault Operations — Decrypt secrets for automation
Build #
- Configure PXE — Enter bootstrap-authoritative mode (
make bootstrap-auth) - Build Network — Core Router install, network segmentation, transition to core-authoritative (
make core-auth) - Build Management Plane — PXE boot Proxmox hypervisors
Validate #
- Verify Site — Validate site infrastructure
- Build Tenants — Provision application workloads
- Verify Tenants — Validate tenant applications
Reference #
- Authority Transition — Standalone reference for DNS/DHCP authority transitions
- Network Segmentation — Detailed VLAN, firewall, and DHCP procedures
Air-Gap Readiness #
| Component | Method | Status |
|---|---|---|
| Proxmox VM template | kickstart + cdrom | Ready |
| Proxmox VE bare metal | embedded answer file | Ready |
| Fedora packages (install) | local mirror/ISO | Ready |
| Core Router | manual USB install | Manual — accepted prereq |
Known Gaps #
Core Router - No automated install exists, but this is an accepted manual prerequisite for the MVP. A fresh OPNsense install from USB is performed before the automated build begins, same as factory-resetting the switch and AP. Day-2 configuration is fully automated via the deevnet.net Ansible collection. Future options (pre-imaged NVMe, alternative whitebox solutions) are tracked under Future Evaluations.
Post-Install Updates - See Patching for day 2 considerations.