Daily Worklog: 2026-02-12 (Thursday)
Overview
Date: 2026-02-12 (Thursday)
Location: Remote
Focus: Enterprise Antora UI Bundle Architecture, Cloudflare Access Security, Documentation Infrastructure
Summary
Major infrastructure milestone: Enterprise UI Bundle Architecture fully operational. All Domus documentation sites now share a single, centrally managed UI bundle hosted on Cloudflare Pages and protected by Cloudflare Access.
Enterprise UI Bundle Architecture
Problem Statement
Previously, each domus-* repo had its own supplemental-ui folder with custom CSS/JS. This meant:
-
UI changes required updating 15+ repos
-
Inconsistent styling across documentation
-
No central control over theme/styling
-
Difficult to maintain and scale
Solution Architecture
┌─────────────────────────────────────────────────────────────────┐
│ SINGLE SOURCE OF TRUTH │
│ │
│ domus-antora-ui (GitHub - private) │
│ │ │
│ ▼ (auto-deploy on push) │
│ Cloudflare Pages (domus-ui project) │
│ │ │
│ ▼ │
│ ui.domusdigitalis.dev/ui-bundle.zip │
│ │ (Protected by Cloudflare Access) │
│ │ │
└────────┼────────────────────────────────────────────────────────┘
│
│ Service Token Authentication
▼
┌─────────────────────────────────────────────────────────────────┐
│ DOCUMENTATION SITES │
│ │
│ domus-docs (aggregator) ──► docs.domusdigitalis.dev │
│ ├── domus-infra-ops │
│ ├── domus-ise-linux │
│ ├── domus-ise-windows │
│ ├── domus-ise-ops │
│ ├── domus-netapi-docs │
│ ├── domus-secrets-ops │
│ ├── domus-identity-ops │
│ ├── domus-linux-ops │
│ ├── domus-python │
│ ├── domus-captures │
│ └── domus-automation-ops │
│ │
└─────────────────────────────────────────────────────────────────┘Components Created
| Component | Description | Location |
|---|---|---|
domus-antora-ui |
Custom Antora UI bundle with enterprise styling |
|
Cloudflare Pages (domus-ui) |
Hosts the UI bundle on CDN |
|
Service Token |
antora-ui-bundle - allows build scripts to fetch protected bundle |
Zero Trust > Service Credentials |
Access Application |
antora-ui-bundle - protects UI endpoint |
Zero Trust > Access > Applications |
UI Bundle Features
Multi-Theme Support
Three professionally designed themes with cookie persistence:
-
Dark (default) - Medical blue accent on dark background
-
Catppuccin Mocha - Pastel colors from the Catppuccin palette
-
Light - Clean light theme with bold accents
Focus Mode
Distraction-free reading mode:
-
Press F to toggle focus mode
-
Press Esc to exit focus mode
-
Persisted via cookie
Premium Styling
-
Gold gradient sidebars with glow effects
-
Executive summary tables with Excel-like grid borders
-
Code blocks with language badges and copy buttons
-
Professional glassmorphism toggle buttons
-
Smooth transitions and hover effects
Cloudflare Access Setup
Application Configuration
| Setting | Value |
|---|---|
Application name |
antora-ui-bundle |
Subdomain |
ui |
Domain |
domusdigitalis.dev |
Policy |
CI Build Access (Service Auth) |
Service Token
Created in Zero Trust > Service Credentials > Service Tokens:
-
Name:
antora-ui-bundle -
Used by: domus-docs Cloudflare Pages build
Environment Variables
Set in Cloudflare Pages > domus-docs > Settings > Environment Variables:
| Variable | Purpose |
|---|---|
CF_ACCESS_CLIENT_ID |
Service token ID |
CF_ACCESS_CLIENT_SECRET |
Service token secret |
CF_ANTORA_GIT_TOKEN |
GitHub PAT for private repos |
Build Script Updates
domus-docs/build.sh
Updated to fetch UI bundle with Cloudflare Access authentication:
#!/bin/bash
# Builds the domus-docs Antora site with:
# 1. Fetches UI bundle from ui.domusdigitalis.dev (Cloudflare Access)
# 2. Injects GitHub token into playbook URLs for private repo access
# 3. Runs Antora build
# Check for required tokens
if [ -z "$CF_ACCESS_CLIENT_ID" ] || [ -z "$CF_ACCESS_CLIENT_SECRET" ]; then
echo "ERROR: CF_ACCESS_CLIENT_ID and CF_ACCESS_CLIENT_SECRET required"
exit 1
fi
# Fetch UI bundle with Cloudflare Access auth
curl -sfo ui-bundle.zip \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
https://ui.domusdigitalis.dev/ui-bundle.zip
# Run Antora build
npx antora --quiet antora-playbook.ymlPlaybook Update
Changed from remote URL to local bundle:
ui:
bundle:
# Domus Enterprise UI Bundle (fetched by build.sh with Access auth)
url: ./ui-bundle.zip
snapshot: trueIssues Resolved
Environment Variable Naming
Problem: Build failed with "CF_ACCESS_CLIENT_ID and CF_ACCESS_CLIENT_SECRET required"
Cause: Variables were named with hyphens (CF-Access-Client-Id) instead of underscores
Fix: Renamed to CF_ACCESS_CLIENT_ID and CF_ACCESS_CLIENT_SECRET
Supplemental UI Override
Problem: Old theme toggle with emojis showing instead of new SVG icons; focus button missing
Cause: supplemental-ui/partials/footer-scripts.hbs in domus-docs was overriding the UI bundle
Fix: Removed supplemental-ui folder entirely; all styling now comes from UI bundle
Landing Page 404
Problem: Root URL ui.domusdigitalis.dev/ returned 404
Cause: Cloudflare Pages only had ui-bundle.zip, no index.html
Fix: Added static/index.html landing page and updated build script to copy it
Documentation Created
domus-infra-ops
New runbook: runbooks/antora-ui-architecture.adoc
Contents:
-
Architecture diagram
-
All components documented
-
Environment variables reference
-
How to update the UI
-
How to add new repos
-
Troubleshooting guide
-
Security considerations
Nav update: Added to Architecture section
domus-antora-ui
Files created:
-
src/css/domus-theme.css- All custom theme CSS -
src/js/vendor/domus-ui.js- Theme toggle, focus mode, code enhancements -
src/partials/head-styles.hbs- Early theme detection (FOUC prevention) -
src/partials/footer-scripts.hbs- Script loading -
static/index.html- Landing page for CDN -
Makefile- Build management -
README.adoc- Usage documentation -
.nvmrc- Node 18 for Cloudflare Pages
Commits
domus-antora-ui
| Commit | Message |
|---|---|
Initial |
Clone from antora-ui-default, add custom CSS/JS |
Fix |
Add ignorePatterns for vendor JS in .eslintrc |
Fix |
Disable cosmetic stylelint rules |
Fix |
Update .nvmrc from Node 10 to Node 18 |
Feat |
Add landing page for root URL |
Build |
Use custom domain ui.domusdigitalis.dev |
domus-docs
| Commit | Message |
|---|---|
feat(build) |
Secure UI bundle with Cloudflare Access |
fix(ui) |
Remove supplemental-ui overrides, use enterprise UI bundle only |
domus-infra-ops
| Commit | Message |
|---|---|
docs(runbook) |
Add Antora UI architecture documentation |
Validation
Access Protection Verified
# Unauthenticated access blocked
curl -sI https://ui.domusdigitalis.dev/ui-bundle.zip
# HTTP/2 302 → Cloudflare Access login
# Docs site protected
curl -sI https://docs.domusdigitalis.dev/
# HTTP/2 302 → Cloudflare Access loginBuild Success
Fetching UI bundle from ui.domusdigitalis.dev...
UI bundle downloaded
Injecting credentials into playbook...
Building Antora site...
Build complete: build/site/index.htmlBenefits Achieved
| Benefit | Description |
|---|---|
Single source of truth |
One repo controls all UI styling |
Scalability |
Add unlimited repos, same UI setup |
Security |
Only authorized builds can fetch bundle |
Global CDN |
Cloudflare edge delivery |
Consistency |
All docs look identical |
Easy updates |
Push to UI repo, all sites get changes |
Workflow Going Forward
UI Changes
cd ~/atelier/_bibliotheca/domus-antora-ui
# Edit src/css/ or src/js/
npm run build # Test locally
git add -A && git commit -m "feat(ui): Description"
git push
# Cloudflare Pages auto-deploysContent Changes
Push to any domus-* repo. Next docs build uses latest UI.
Trigger Docs Rebuild
cd ~/atelier/_bibliotheca/domus-docs
git commit --allow-empty -m "chore: Trigger rebuild for UI update"
git pushSecrets Updated
Updated ~/.secrets/environments/domains/d000/dev/app.env.age:
-
CF_ACCESS_CLIENT_ID- Cloudflare Access service token ID -
CF_ACCESS_CLIENT_SECRET- Cloudflare Access service token secret
Linux AD Authentication dACL Runbook
Context
Preparing for CHLA Linux deployment - need to validate dACL for AD-authenticated SSH. At CHLA, local SSH works but AD SSH fails under Research_Onboard ACL because AD traffic (Kerberos, LDAP, DNS) is blocked.
Runbook Created
File: domus-ise-linux/runbooks/linux-ad-auth-dacl.adoc
Features:
-
Test environment: ISE 3.4 + Windows Server 2025 Core (home-dc01) + modestus-aw as test endpoint
-
tee logging: All commands log to file AND screen for evidence collection
-
[ADMIN]/[ENDPOINT] tags: Clear indication of which workstation to run commands from
-
4-phase approach:
-
Pre-Configuration Validation (ISE policy set, AD connectivity, existing objects)
-
ISE Policy Creation (dACL, authz profile, authz rule)
-
Force Reauthentication (CoA)
-
Endpoint Validation (AD connectivity, SSH with AD account, lateral movement block)
-
dACL Design: Linux-Research-AD-Auth
Permits:
-
DHCP (67/68 UDP) - network bootstrap
-
DNS to DC (53 UDP/TCP)
-
Kerberos (88 UDP/TCP) - authentication
-
LDAP/LDAPS (389/636 TCP) - directory services
-
Global Catalog (3268/3269 TCP)
-
SMB/CIFS (445 TCP) - AD operations
-
NTP (123 UDP) - time sync (critical for Kerberos)
-
ICMP - diagnostics
-
Internet egress (after RFC1918 deny)
Blocks:
-
All RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) - zero-trust lateral movement
netapi CLI Updates
Fixed netapi ise mnt sessions:
-
Username no longer truncated (was 25 chars, now overflow="fold" with max_width=40)
-
Clarified VLAN requires
--detailsflag
Added to cloudflare-commands.adoc:
-
wrangler pages project list- list all Pages projects -
wrangler pages deploy- deploy without dashboard -
Full deploy workflow for docs and UI bundle
Documentation Restructuring
-
Moved linux-ad-auth-dacl.adoc from domus-infra-ops to domus-ise-linux (better fit with ISE Linux 802.1X content)
-
Fixed cross-component xref syntax (
netapi:→netapi::) in cloudflare-access-antora.adoc
Commits
| Repo | Commit | Message |
|---|---|---|
domus-infra-ops |
94caf63 |
docs(runbook): Add tee logging to linux-ad-auth-dacl validation |
domus-infra-ops |
8e6e90a |
fix: Use double-colon for cross-component xref in cloudflare-access-antora |
domus-infra-ops |
1b876ea |
refactor: Move linux-ad-auth-dacl.adoc to domus-ise-linux |
domus-ise-linux |
68ee527 |
docs(runbook): Add Linux AD Authentication dACL runbook |
domus-netapi-docs |
4ee5d1a |
docs(cloudflare): Add wrangler pages deploy commands |
Deployments
All sites rebuilt and deployed to Cloudflare Pages:
-
docs.domusdigitalis.dev - Documentation site
-
ui.domusdigitalis.dev - UI bundle
Pending
-
Test focus mode functionality after build
-
Add favicon to UI bundle
-
Update other domus-* repo playbooks to use CDN bundle (for standalone builds)
-
Execute linux-ad-auth-dacl runbook on modestus-aw
-
Create dACL in ISE via netapi
-
Create authorization profile with dACL + VLAN
-
Create authorization rule for Linux workstations
-
Test SSH with AD account on modestus-aw
Session: domus-siem-ops Creation
Duration: ~2 hours
Objective: Create a vendor-agnostic SIEM operations repository that scales to any SIEM platform
Problem Statement
SIEM documentation was fragmented across multiple Principia directories:
-
ARS-SIEM-QRADAR- QRadar architecture/reference -
ARS-SIEM-SENTINEL- Sentinel architecture/reference -
OPS-SIEM-QRADAR- QRadar operations (Antora structure) -
OPS-SIEM-SENTINEL- Sentinel operations -
OPS-SIEM-WAZUH- Wazuh mapping
No unified, scalable structure for growing SIEM expertise across platforms.
Solution: domus-siem-ops
Created new repo following domus-* conventions:
domus-siem-ops/
├── .claude/CLAUDE.md
├── docs/asciidoc/
│ ├── antora.yml # Environment attributes (no hardcoded IPs)
│ └── modules/ROOT/
│ ├── nav.adoc
│ └── pages/
│ ├── index.adoc
│ ├── concepts/siem-fundamentals.adoc
│ ├── qradar/
│ │ ├── aql-reference.adoc
│ │ ├── queries/{threat-detection,network-flows,authentication}.adoc
│ │ ├── hunts/{vnc-hunt,evil-twin-hunt,suspicious-endpoint}.adoc
│ │ ├── playbooks/{incident-response,threat-hunting}.adoc
│ │ └── reference/{aql-functions,device-types,field-reference}.adoc
│ ├── sentinel/kql-reference.adoc
│ ├── wazuh/qradar-mapping.adoc
│ ├── splunk/spl-reference.adoc
│ └── migrations/qradar-to-sentinel.adocKey Design Decisions
-
Vendor-agnostic structure - Concepts shared, platform-specific sections separate
-
Attributes for everything - No hardcoded IPs, ports, or credentials
-
Fresh start - Principia content stays untouched; reference when building new
-
Future-ready - Splunk placeholder for when needed
Commands Run
# Create directory structure
mkdir -p ~/atelier/_bibliotheca/domus-siem-ops/{.claude,docs/asciidoc/modules/ROOT/{pages/{concepts,qradar/{queries,hunts,playbooks,reference},sentinel,wazuh,splunk,migrations},images}}
# Initialize git
cd ~/atelier/_bibliotheca/domus-siem-ops
git init && git branch -m main
git add -A
git commit --no-gpg-sign -m "feat: Initial domus-siem-ops structure"
# Fix remotes (following domus-docs pattern)
git remote remove origin
git remote add origin git@github.com:EvanusModestus/domus-siem-ops.git
git remote add gitlab git@gitlab.com:EvanusModestus/domus-siem-ops.git
git remote add gitea git@gitea-01.inside.domusdigitalis.dev:evanusmodestus/domus-siem-ops.git
# Push to all remotes
git push -u origin main
git push -u gitlab main
git push -u gitea mainMulti-Remote Heredoc Pattern
bash <<'EOF'
cd ~/atelier/_bibliotheca/domus-siem-ops
git remote remove origin
git remote add origin git@github.com:EvanusModestus/domus-siem-ops.git
git remote add gitlab git@gitlab.com:EvanusModestus/domus-siem-ops.git
git remote add gitea git@gitea-01.inside.domusdigitalis.dev:evanusmodestus/domus-siem-ops.git
git remote -v
EOFFiles Created
21 files, 1029 lines total:
| File | Purpose |
|---|---|
antora.yml |
SIEM attributes (ports, CIDRs, Windows Event IDs) |
concepts/siem-fundamentals.adoc |
Vendor-agnostic SIEM concepts |
qradar/aql-reference.adoc |
Comprehensive AQL reference |
qradar/queries/*.adoc |
Threat detection, network flows, authentication queries |
qradar/hunts/*.adoc |
VNC hunt, evil twin, suspicious endpoint |
sentinel/kql-reference.adoc |
KQL reference placeholder |
migrations/qradar-to-sentinel.adoc |
Platform migration guide |
Session: Linux Client Attribute Conversion
Duration: ~1 hour
Objective: Convert remaining hardcoded values to Antora attributes in domus-ise-linux
Files Updated
| File | Changes |
|---|---|
domain-join.adoc |
|
monitoring.adoc |
|
wpa-supplicant-wifi.adoc |
|
antora.yml |
Added |
Commit
git commit -m "refactor(linux-client): Convert hardcoded values to attributes
- domain-join.adoc: Use \{ad-dc-ip\} and \{ad-dc-hostname\}
- monitoring.adoc: Use \{mgmt-network\} and \{zabbix-server\}
- wpa-supplicant-wifi.adoc: Use \{wlc-ip\} and \{vlan-data-gateway\}
- antora.yml: Add mgmt-network and zabbix-server attributes"Session: Kroki Diagram Server Integration
Duration: ~1 hour
Objective: Add Kroki diagram server to domus-docs for inline diagram rendering
Components Added
-
docker-compose.yml- Kroki server with security hardening -
Makefile targets:
kroki,kroki-stop,kroki-status -
Graceful Ctrl+C handling for
make serve
Key Learnings
-
internal: trueon Docker network breaks port publishing - removed -
Python catches SIGINT internally, preventing shell traps - use
;syntax instead -
Two diagram approaches: standalone (Makefile → SVG) vs inline (Kroki at build time)
Pending
-
Complete SIEM gap analysis and learning roadmap
-
Execute linux-ad-auth-dacl runbook on modestus-aw
-
Spanish tutor homework for 2026-02-13
-
Xianming Ding researcher Linux request
References
-
ise-linux::runbooks/linux-ad-auth-dacl.adoc- Linux AD Authentication dACL Runbook -
infra-ops::runbooks/antora-ui-architecture.adoc- Antora UI Architecture Runbook -
netapi::cli/cloudflare-commands.adoc- Cloudflare Commands (wrangler deploy)