📋 Operational Runbook on Deevnet Infrastructure Platform

Authority Transition

Mon, 01 Jan 0001 00:00:00 +0000

Authority Transition Runbook #

Procedures for transitioning DNS/DHCP authority between the builder and production network infrastructure.

For the architectural model, see Core Services Architecture.

**Build context:** During a greenfield build, these transitions happen as part of the [Building Infrastructure](/docs/runbook/building-recovery/) sequence — [Configure PXE](/docs/runbook/building-recovery/build-sequence/) enters bootstrap-authoritative mode, and [Build Network](/docs/runbook/building-recovery/build-network/) transitions to core-authoritative mode. This page is the standalone reference for both directions.

Overview #

Transition	From	To	When
Promote to production	Builder-authoritative	Router-authoritative	After network infrastructure is configured and validated
Revert to bootstrap	Router-authoritative	Builder-authoritative	Before substrate rebuild or recovery

Both transitions are automated via playbooks in deevnet.builder and deevnet.net. The IP swap is the final step in each playbook and drops the SSH connection — reconnect at the new IP to verify.

Patching

Mon, 01 Jan 0001 00:00:00 +0000

Patching #

Day 2 maintenance and security updates for substrate hosts.

Status: Planned #

This section will document:

Online patching (hosts with internet access)
Offline patching (air-gapped site)
Local dnf mirror setup for full air-gap

Decision Required #

Post-install updates currently require internet access. Options:

Option	Pros	Cons
Accept internet required	Simple, no extra storage	Not true air-gap
Full local dnf mirror	True air-gap	~200GB per Fedora release
Hybrid (security only)	Balanced	Complex to maintain

Current State #

Install-time packages come from ISO/cdrom (air-gap ready).

Authority Transition Gap Analysis

Mon, 01 Jan 0001 00:00:00 +0000

Authority Transition Gap Analysis #

Analysis of gaps between the authority transition runbook and the actual state of automation, performed 2026-03-26 against the segmented 10-space (10.20.x.x with per-VLAN subnets).

Scope: bootstrap-authoritative.yml, core-authoritative.yml, the bootstrap role, inventory group_vars, dnsmasq templates, and the OPNsense DNS/DHCP roles in deevnet.net.

Critical Gaps #

GAP 1: `bootstrap-authoritative.yml` doesn’t enable DHCP #

Runbook says: make bootstrap-auth enables DNS/DHCP/gateway on the builder.

Reality: The playbook calls include_role: bootstrap without overriding bootstrap_tftp_backend or bootstrap_dnsmasq_dhcp_enabled. Inventory has both set to their production values (tftpd / false), so running the playbook installs standalone tftpd with DHCP off.

Security

Mon, 01 Jan 0001 00:00:00 +0000

Security & Vulnerability Management #

Documents security posture, assumptions, and lifecycle practices.

Scope #

This section includes:

Trust boundaries and threat assumptions
Credential and key management philosophy
Vulnerability monitoring and response expectations
Patch and upgrade responsibility by layer
Security-related guardrails and invariants

This section defines what “secure enough” means for Deevnet.

Status: Planned #

Detailed security documentation is planned. Key areas to document:

Trust Boundaries #

Substrate network is trusted
Upstream/WAN is untrusted
Tenant isolation requirements

Credential Management #

SSH key distribution via artifact server
No passwords in playbooks or inventory
API tokens for service accounts

Vulnerability Response #

Monitoring sources (CVE feeds, vendor advisories)
Patch timelines by severity
Emergency response procedures

Inventory Lifecycle

Mon, 01 Jan 0001 00:00:00 +0000

Inventory & Lifecycle Management #

Documents how infrastructure assets are tracked, managed, and retired.

Scope #

This section includes:

Host identity and inventory sources of truth
Hardware lifecycle stages (active, standby, retired)
Image and configuration lifecycle expectations
Decommissioning and cleanup principles

This section ensures infrastructure ages intentionally, not accidentally.

Lifecycle Stages #

Stage	Description
Provisioning	Host being set up, not yet in service
Active	In production use
Standby	Available but not currently assigned
Maintenance	Temporarily offline for updates/repairs
Retired	Decommissioned, removed from inventory

Inventory Sources of Truth #

ansible-inventory-deevnet - Canonical host identity
OPNsense - Authoritative DNS/DHCP (production)
Bootstrap node - Authoritative DNS/DHCP (during provisioning)

Decommissioning #

When retiring a host:

Change Management

Mon, 01 Jan 0001 00:00:00 +0000

Change Management & CI/CD #

Defines how change is introduced safely into the Deevnet ecosystem.

Scope #

This section includes:

Change classification (routine vs disruptive)
Required validation before changes are applied
Automated testing expectations by layer
CI/CD pipeline responsibilities
Guardrails that prevent unsafe changes from reaching production sites

Principles #

Automated testing and CI/CD exist to:

Validate assumptions early
Prevent regressions
Ensure changes preserve correctness

Manual changes without validation are considered defects.

Network Reference

Mon, 01 Jan 0001 00:00:00 +0000

Network Reference #

Quick reference for VLAN assignments and network configuration across Deevnet sites.

dvntm VLAN Assignments #

Segment	VLAN ID	Subnet	Gateway	DHCP
Trusted	10	10.20.10.0/24	10.20.10.1	.100-.200
Storage	20	10.20.20.0/24	10.20.20.1	Static only
Platform	25	10.20.25.0/24	10.20.25.1	Static only
IoT	30	10.20.30.0/24	10.20.30.1	.100-.200
IoT Vendor	31	10.20.31.0/24	10.20.31.1	.100-.200
IoT Backend	35	10.20.35.0/24	10.20.35.1	Static only
Guest	40	10.20.40.0/24	10.20.40.1	.50-.250
Tenant 1	50	10.20.50.0/24	10.20.50.1	Per-tenant
Tenant 2	51	10.20.51.0/24	10.20.51.1	Per-tenant
Tenant 3	52	10.20.52.0/24	10.20.52.1	Per-tenant
Management	99	10.20.99.0/24	10.20.99.1	Static only
Blackhole	999	—	—	None (unrouted)

dvnt VLAN Assignments #

Segment	VLAN ID	Subnet	Gateway	DHCP
Trusted	10	10.10.10.0/24	10.10.10.1	.100-.200
Storage	20	10.10.20.0/24	10.10.20.1	Static only
Platform	25	10.10.25.0/24	10.10.25.1	Static only
IoT	30	10.10.30.0/24	10.10.30.1	.100-.200
IoT Vendor	31	10.10.31.0/24	10.10.31.1	.100-.200
IoT Backend	35	10.10.35.0/24	10.10.35.1	Static only
Guest	40	10.10.40.0/24	10.10.40.1	.50-.250
Tenant 1	50	10.10.50.0/24	10.10.50.1	Per-tenant
Tenant 2	51	10.10.51.0/24	10.10.51.1	Per-tenant
Tenant 3	52	10.10.52.0/24	10.10.52.1	Per-tenant
Management	99	10.10.99.0/24	10.10.99.1	Static only
Blackhole	999	—	—	None (unrouted)

Segment Purpose Summary #

Segment	Trust Level	Purpose
Management	High	Infrastructure management plane (provisioners, hypervisor mgmt, switches, IPMI)
Trusted	High	User devices (workstations, laptops, personal devices)
Storage	High	Dedicated storage traffic (NAS, backup targets)
Platform	High	Shared infrastructure services (DNS, NTP, artifact mirrors, reverse proxy)
Tenant	Medium	Per-tenant workload isolation
IoT Backend	Medium	IoT application backends (MQTT, Home Assistant, data pipelines)
IoT Vendor	Very Low	Vendor-managed IoT containment zone (cloud-dependent, unauditable)
IoT	Medium	Custom-developed embedded devices with controlled firmware (Pis, sensors)
Guest	Untrusted	Transient visitor access (internet only)

Canonical Source #

VLAN definitions are maintained in Ansible inventory:

📋 Operational Runbook on Deevnet Infrastructure Platform

Authority Transition

Authority Transition Runbook #

Overview #

Patching

Patching #

Status: Planned #

Decision Required #

Current State #

Authority Transition Gap Analysis

Authority Transition Gap Analysis #

Critical Gaps #

GAP 1: bootstrap-authoritative.yml doesn’t enable DHCP #

Security

Security & Vulnerability Management #

Scope #

Status: Planned #

Trust Boundaries #

Credential Management #

Vulnerability Response #

Inventory Lifecycle

Inventory & Lifecycle Management #

Scope #

Lifecycle Stages #

Inventory Sources of Truth #

Decommissioning #

Change Management

Change Management & CI/CD #

Scope #

Principles #

Network Reference

Network Reference #

dvntm VLAN Assignments #

dvnt VLAN Assignments #

Segment Purpose Summary #

Canonical Source #

GAP 1: `bootstrap-authoritative.yml` doesn’t enable DHCP #