Infrastructure Host Addition

Checklist for adding any new infrastructure host. Prevents scope creep and ensures consistency across BIND DNS, Antora attributes, Vault SSH CA, and monitoring.

When to Use This Runbook

Use this BEFORE deploying any new VM, container, or physical host:

New VMs (vyos-02, vault-03, ipa-02, etc.)
New services on existing IPs (CNAMEs)
Infrastructure migrations (IP changes)

Quick Checklist

Step	Action	Status
1	IP Allocation - reserve in CLAUDE.md inventory	[ ]
2	Antora Attributes - add to antora.yml	[ ]
3	BIND Forward Zone - A record (nsupdate)	[ ]
4	BIND Reverse Zone - PTR record (nsupdate)	[ ]
5	Vault SSH CA Trust (if Linux/Unix host)	[ ]
6	Monitoring - Wazuh agent or syslog source	[ ]
7	Update deployment runbook with PRE-0 steps	[ ]

Step

Action

Status

IP Allocation - reserve in CLAUDE.md inventory

[ ]

Antora Attributes - add to antora.yml

[ ]

BIND Forward Zone - A record (nsupdate)

[ ]

BIND Reverse Zone - PTR record (nsupdate)

[ ]

Vault SSH CA Trust (if Linux/Unix host)

[ ]

Monitoring - Wazuh agent or syslog source

[ ]

Update deployment runbook with PRE-0 steps

[ ]

Step 1: IP Allocation

Location: domus-infra-ops/.claude/CLAUDE.md → Infrastructure Inventory

Check the IP range table and reserve the IP:

grep -A5 "IP Address Ranges" /home/evanusmodestus/atelier/_bibliotheca/domus-infra-ops/.claude/CLAUDE.md

Add the new host to the appropriate zone table in CLAUDE.md.

Step 2: Antora Attributes

Location: domus-infra-ops/docs/asciidoc/antora.yml

Add hostname and IP attributes:

    # Example for vyos-01/02
    vyos-01-hostname: vyos-01.inside.domusdigitalis.dev
    vyos-01-ip: 10.50.1.2
    vyos-02-hostname: vyos-02.inside.domusdigitalis.dev
    vyos-02-ip: 10.50.1.3

Verify attributes exist before writing any .adoc:

grep -i "vyos" /home/evanusmodestus/atelier/_bibliotheca/domus-infra-ops/docs/asciidoc/antora.yml

Step 3: BIND Forward Zone

On bind-01:

ssh bind-01

Find insertion point:

sudo awk '/^; <SECTION>/ {print NR": "$0}' /var/named/inside.domusdigitalis.dev.zone

Replace <SECTION> with the section AFTER where your record goes (e.g., "Network Devices" for gateway-adjacent hosts).

Insert A record (replace LINE with actual line number):

sudo sed -i 'LINEi\
; <SECTION COMMENT>\
<hostname>      IN  A       <ip>\
' /var/named/inside.domusdigitalis.dev.zone

Increment SOA serial:

# Check current serial
sudo awk '/Serial/ {print $1}' /var/named/inside.domusdigitalis.dev.zone

# Increment (format: YYYYMMDDNN)
sudo sed -i 's/<old-serial>/<new-serial>/' /var/named/inside.domusdigitalis.dev.zone

Validate and reload:

sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone

sudo rndc reload inside.domusdigitalis.dev

Step 4: BIND Reverse Zone

Find insertion point:

sudo awk '/^; <SECTION>/ {print NR": "$0}' /var/named/10.50.1.rev

Insert PTR record (NO leading whitespace!):

sudo sed -i 'LINEi\
; <SECTION COMMENT>\
<last-octet>    IN  PTR     <hostname>.inside.domusdigitalis.dev.\
' /var/named/10.50.1.rev

Increment SOA serial and reload:

sudo sed -i 's/<old-serial>/<new-serial>/' /var/named/10.50.1.rev

sudo named-checkzone 1.50.10.in-addr.arpa /var/named/10.50.1.rev

sudo rndc reload 1.50.10.in-addr.arpa

Step 5: Vault SSH CA Trust (Linux/Unix hosts)

If the new host needs SSH access via Vault-signed certificates:

On the new host:

# Download CA public key
curl -sSk https://vault-01.inside.domusdigitalis.dev:8200/v1/ssh/public_key | sudo tee /etc/ssh/vault-ca.pub

# Add to sshd_config (BEFORE any Match blocks!)
echo "TrustedUserCAKeys /etc/ssh/vault-ca.pub" | sudo tee -a /etc/ssh/sshd_config

# Restart sshd
sudo systemctl restart sshd

Update vault-ssh-test script to include new host.

Step 6: Monitoring

Wazuh Agent (preferred)

# On new host - install Wazuh agent
# See: k3s-wazuh.adoc for agent installation

Syslog Source (network devices)

# Configure device to send syslog to Wazuh manager
# Target: 10.50.1.134:514/udp

Step 7: Update Deployment Runbook

Add PRE-0 steps to the host’s deployment runbook:

.PRE-0a: Add BIND forward zone record
.PRE-0b: Add BIND reverse zone record
.PRE-0c: Verify DNS resolution

This ensures future deployments don’t miss DNS setup.

Verification

After all steps complete:

# Forward lookup via BIND
dig +short <hostname>.inside.domusdigitalis.dev @10.50.1.90

# Reverse lookup via BIND
dig +short -x <ip> @10.50.1.90

# Forward lookup from workstation (client perspective)
dig +short <hostname>.inside.domusdigitalis.dev

# SSH test (if Vault CA configured)
ssh <hostname>

Common Mistakes

Mistake	Consequence	Prevention
Skip BIND A record	Authoritative DNS missing, zone transfers fail	Always add both A and PTR records
Wrong SOA serial format	Zone rejected, no updates	Use YYYYMMDDNN, always increment
PTR with leading whitespace	NXDOMAIN on reverse lookups	Start at column 1
Forget antora.yml attributes	Hardcoded IPs in documentation	Step 2 before writing any .adoc
Skip reverse zone	Reverse DNS fails, some services break	Always do forward AND reverse

Mistake

Consequence

Prevention

Skip BIND A record

Authoritative DNS missing, zone transfers fail

Always add both A and PTR records

Wrong SOA serial format

Zone rejected, no updates

Use YYYYMMDDNN, always increment

PTR with leading whitespace

NXDOMAIN on reverse lookups

Start at column 1

Forget antora.yml attributes

Hardcoded IPs in documentation

Step 2 before writing any .adoc

Skip reverse zone

Reverse DNS fails, some services break

Always do forward AND reverse

Related Runbooks

DNS Operations - detailed BIND procedures
Vault SSH CA - SSH certificate setup
Wazuh SIEM - agent installation