Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
CI/CD-automated network configuration management at pipeline scale (use ci-cd)
AI Self-Check
Before returning any generated network configuration, verify:
No hardcoded secrets: passwords, PSKs, API keys use placeholders or env vars
Correct interface names: didn't assume eth0 - modern Linux uses predictable names
(enp0s3, ens18, etc.). Ask or check ip link output
MTU considered: VPN tunnels need reduced MTU (WireGuard: 1420, OpenVPN: ~1400, VXLAN:
1450). Mismatched MTU causes silent packet drops
DNS resolver order: systemd-resolved vs /etc/resolv.conf vs NetworkManager - check
which DNS manager is active before modifying
Firewall persistence: nftables rules need nft list ruleset > /etc/nftables.conf or
a service to persist across reboots. Raw nft add commands are ephemeral
Port conflicts checked: reverse proxy ports (80, 443) may conflict with existing
services. Verify with ss -tlnp
TLS versions: minimum TLS 1.2 for all services. TLS 1.3 preferred where supported
Private IP ranges correct: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (not /24)
Subnet overlap: VPN address ranges must not overlap with LAN or other VPN ranges
IPv6 considered: dual-stack config or explicit disable. Half-configured IPv6 leaks
traffic around IPv4-only VPNs
Backup before modifying: save current config before changes (nft list ruleset > backup.nft, cp nginx.conf nginx.conf.bak). Network misconfigs can lock out remote access
Service reload vs restart: prefer graceful reload (nginx -s reload, systemctl reload) over restart to avoid dropping active connections
IP forwarding enabled: any config involving routing, VPN, or inter-VLAN traffic
needs net.ipv4.ip_forward = 1 (and net.ipv6.conf.all.forwarding = 1 for dual-stack).
Without it, the kernel silently drops forwarded packets
systemd-resolved conflict: if deploying a local DNS server (Unbound, CoreDNS,
dnsmasq), check whether systemd-resolved is binding port 53. Disable its stub listener
(DNSStubListener=no) or bind your server to a different port
Current source checked: dated versions, CLI flags, API names, and support windows are verified against primary docs before repeating them
Hidden state identified: local config, credentials, caches, contexts, branches, cluster targets, or previous runs are made explicit before acting
Verification is real: final checks exercise the actual runtime, parser, service, or integration point instead of only linting prose or happy paths
Routing overlap checked: overlapping skills, trigger terms, and "When NOT to use" boundaries are checked before returning guidance
Spec claims verified: claims about tool behavior, output contracts, or repo conventions are checked against current docs, scripts, or skill files
Topology verified: interface names, routes, DNS resolvers, namespaces, VPN state, and firewall backend are observed before changes
Rollback path preserved: remote network changes include timed rollback, console access, or an alternate path
Performance
Measure path, DNS, TLS, and application latency separately before tuning.
Use packet captures with narrow filters and time windows to avoid huge captures and privacy spill.
Prefer persistent nftables sets, DNS caches, and proxy connection reuse where appropriate.
Best Practices
Diagnose before changing: capture current routes, rules, addresses, and resolver state.
Change one layer at a time: DNS, routing, firewall, proxy, VPN, or application.
Keep emergency access open when editing firewall, VPN, or default-route configuration remotely.
Workflow
Step 1: Identify the task type
Task type
Start with
Reference
Troubleshoot
Symptoms, recent changes, affected scope
references/troubleshooting.md
Configure DNS
Current resolver, authoritative vs recursive, split-horizon needs
references/dns.md
Set up reverse proxy
Which proxy, upstream services, TLS requirements
references/reverse-proxies.md
Configure VPN
Topology (p2p, hub-spoke, mesh), protocol choice
references/vpn.md
Network segmentation
VLANs, subnets, nftables zones, namespaces
references/segmentation.md
High availability
keepalived/VRRP, floating IPs, health checks
references/ha.md
Step 2: Gather context
Before writing config or running commands:
What distro and init system? (systemd vs OpenRC - affects service management)
What's the current network state? (ip addr, ip route, ss -tlnp, resolvectl status)
Is there an existing firewall? (nft list ruleset, iptables-save)
Who manages DNS? (resolvectl status or cat /etc/resolv.conf - check for systemd-resolved stub)
Any existing VPN/overlay? (wg show, tailscale status, ip link for tun/wg/vxlan devices)
Is this behind NAT? (affects VPN, reverse proxy, and HA design)
Step 3: Implement
Read the appropriate reference file for detailed patterns. Key principles:
Test before persisting. Add nftables rules, verify connectivity, then save. Apply reverse
proxy config changes with --dry-run or syntax check first (caddy validate, nginx -t,
haproxy -c).
One change at a time. Network misconfigs can lock you out. If working over SSH, set a
revert timer (at now + 5 minutes <<< 'systemctl restart networking').
Log what you changed. Network debugging is 10x harder when you don't know what changed.
Step 4: Validate
What to validate
How
DNS resolution
dig @server domain A +short, dig domain AAAA +short
Caddy handles TLS certificate provisioning automatically via ACME (Let's Encrypt). DNS A/AAAA
records for all three subdomains must point to the host. Validate: caddy validate --config /etc/caddy/Caddyfile.
Read references/reverse-proxies.md for configuration patterns, TLS setup,
health checks, rate limiting, and WebSocket/gRPC proxying.
Quick Reference: VPN Protocol Selection
Protocol
Speed
Complexity
Key exchange
Best for
WireGuard
Fastest
Minimal config
Noise (Curve25519)
P2P, hub-spoke, general use
OpenVPN
Good
Complex PKI
TLS/x509
Legacy, tap mode (L2)
IPsec (strongSwan)
Good
Most complex
IKEv2
Site-to-site, standards compliance
Tailscale/Headscale
Fast (WG underneath)
Zero config
WG + DERP relays
Overlay mesh, remote access
Nebula
Fast
Low
Certificate-based
Large mesh, Slack-scale
WireGuard site-to-site quick start
# Site A (/etc/wireguard/wg0.conf) - 10.0.1.0/24[Interface]PrivateKey = <SITE_A_PRIVATE_KEY>
Address = 10.100.0.1/30ListenPort = 51820# MTU = 1420 for most setups; subtract 80 more if over PPPoE[Peer]PublicKey = <SITE_B_PUBLIC_KEY>
Endpoint = site-b.example.com:51820AllowedIPs = 10.0.2.0/24, 10.100.0.2/32PersistentKeepalive = 25# Site B (/etc/wireguard/wg0.conf) - 10.0.2.0/24[Interface]PrivateKey = <SITE_B_PRIVATE_KEY>
Address = 10.100.0.2/30ListenPort = 51820[Peer]PublicKey = <SITE_A_PUBLIC_KEY>
Endpoint = site-a.example.com:51820AllowedIPs = 10.0.1.0/24, 10.100.0.1/32PersistentKeepalive = 25
Both sides need net.ipv4.ip_forward = 1 in /etc/sysctl.d/. AllowedIPs is the remote
subnet (not 0.0.0.0/0 - that's full-tunnel, not site-to-site). Key generation:
wg genkey | tee privatekey | wg pubkey > publickey.
Read references/vpn.md for setup patterns, key management, MTU tuning,
NAT traversal, and overlay network comparison.
Quick Reference: nftables vs iptables
iptables is legacy. nftables is the default on Debian 11+, RHEL 9+, Arch, and most modern distros.
# Minimal nftables ruleset - stateful firewall with SSH
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
iif lo accept
tcp dport 22 accept
icmp type echo-request accept
icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert } accept
}
chain forward { type filter hook forward priority 0; policy drop; }
chain output { type filter hook output priority 0; policy accept; }
}
Read references/segmentation.md for VLAN setup, nftables zones, network
namespaces, and inter-VLAN routing patterns.
PCI-DSS 4.0 Relevance
Network configuration touches several PCI-DSS requirements:
Req
Area
What to check
1.2
Network security controls
Firewall rules restrict inbound/outbound to minimum necessary
1.3
CDE segmentation
VLANs, nftables, or physical separation between CDE and other networks
1.4
Trusted/untrusted boundaries
Reverse proxy TLS termination, WAF placement
2.2
Hardening
Disable unnecessary services, unused ports closed
4.1
Encryption in transit
TLS 1.2+ everywhere, no plaintext on untrusted segments
references/troubleshooting.md - Diagnostic methodology, tool deep-dives,
common issues, performance tuning
references/ha.md - keepalived/VRRP, floating IPs, HAProxy + keepalived
HA, health check patterns
Output Contract
See references/output-contract.md for the full contract.
Skill name: NETWORKING
Deliverable bucket:audits
Mode: conditional. When invoked to analyze, review, audit, or improve existing repo content, emit the full contract - boxed inline header, body summary inline plus per-finding detail in the deliverable file, boxed conclusion, conclusion table - and write the deliverable to docs/local/audits/networking/<YYYY-MM-DD>-<slug>.md. When invoked to answer a question, teach a concept, build a new artifact, or generate content, respond freely without the contract.
Severity scale:P0 | P1 | P2 | P3 | info (see shared contract; only used in audit/review mode).
Related Skills
firewall-appliance - manages BSD-based firewall appliances (OPNsense, pfSense). This skill
handles Linux networking; firewall-appliance handles FreeBSD appliance firewalls. If the user
mentions pfctl, CARP, or OPNsense/pfSense hostnames, route to firewall-appliance.
kubernetes - owns K8s networking (NetworkPolicy, Gateway API, service mesh, CNI). This
skill covers general DNS and proxy config; K8s-specific networking goes to kubernetes.
cluster-health - owns read-only Kubernetes cluster diagnostics. If the request is
"is the cluster healthy?" rather than "configure DNS/proxy/routing", route there.
docker - owns container networking (bridge, Compose networks, port mapping). This skill
covers host-level Linux networking.
browse - web browsing, scraping, headless page interaction. This skill covers network
infrastructure, not web content retrieval.
ci-cd - pipeline design for automated network config management. This skill provides the networking knowledge; ci-cd handles pipeline orchestration around it.
Rules
Ask which interface. Never assume eth0. Modern Linux uses predictable interface names.
Check with ip link or ask the user.
Test before persisting. Network misconfigs can lock you out of remote machines. Apply
changes temporarily, verify connectivity (especially SSH), then persist.
MTU matters. VPN tunnels, VXLAN, and PPPoE all reduce effective MTU. Mismatched MTU
causes silent packet drops that are painful to debug. Always calculate and set explicitly.
Check who manages DNS. systemd-resolved, NetworkManager, and manual /etc/resolv.conf
fight each other. Identify the active manager before making DNS changes.
Verify the existing firewall. Check nft list ruleset and iptables-save before
adding rules. Mixing nftables and iptables on the same system causes unpredictable behavior.
No plaintext on untrusted segments. TLS 1.2+ for all services. If something needs to
cross an untrusted network without TLS, tunnel it through a VPN.
Subnet overlap kills VPNs. Before assigning VPN address ranges, inventory all LAN
subnets and existing VPN ranges. Overlapping ranges cause routing black holes.