Daily Worklog: 2026-02-18
Overview
Date: 2026-02-18 (Wednesday)
Location: Remote
Focus: Architectus Cloudflare Pages deployment, netapi pfSense feature extensions, enterprise infrastructure architecture diagrams, Network Reference documentation
Today’s Agenda Summary
Completed This Session
| Item | Details | Status |
|---|---|---|
Site validation |
All domus-* repos build clean, fixed NetScaler dangling xref |
[x] Done |
Work tracker diagram |
Compact horizontal D2 diagram for worklog |
[x] Done |
Immediate Priority (Today)
| Task | Details | Priority |
|---|---|---|
domus-netapi-docs issue |
User-reported issue - pending investigation |
NOW |
YubiKey GPG setup |
gopass v3 initialization with subkeys on YubiKey |
P0 |
Python Crash Course Ch.1 |
Getting Started - hello_world.py, exercises 1-1 to 1-3 |
P1 |
Work Deliverables (Carried Over)
| Deliverable | Checklist | Priority |
|---|---|---|
srt-9 Linux (Xianming Ding) |
Cert chain, EAP-TLS, dACL, AD, SSH, UFW |
P0 CRITICAL |
Research Segmentation |
Untrusted VLAN, ISE policy, endpoint migration |
P0 CRITICAL |
Spikewell BYOD VPN |
dACL for SQL, AD group validation |
P1 |
Strongline Gateway |
MAC capture, Identity Group, authz rule |
P1 |
iPSK HA |
Ben Castillo coordination, cleanup, failover test |
P1 |
Personal/Learning
| Item | Notes |
|---|---|
YubiKey GPG |
Primary + backup keys, gopass v3 store |
Python Crash Course |
Chapter 1 today, learning repo setup |
EAP-TEAP Windows |
Client cert for 802.1X (future session) |
Tracking (Monitor)
-
ChromeOS EAP-TLS (Victor/Paul)
-
QRadar → Sentinel migration
-
ISE 30-day auth export workaround
-
DNAC dot1x templates
Enterprise Roadmap: What’s Between Us and Production
Dependency Chain
PHASE 0: SECRETS FOUNDATION (TODAY)
│
├─► YubiKey GPG Setup
│ └─► gopass v3 Init
│ └─► Password Migration (pass, v2, 1Password)
│
└─► Multi-Remote Sync (GitHub, GitLab, Gitea)
PHASE 1-8: INFRASTRUCTURE
│
├─► Vault Hardening (HA, policies, backup)
│ │
│ ├─► Certificate Infrastructure
│ │ │
│ │ ├─► Linux Workstation Completion
│ │ │ └─► ISE Posture (Secure Client)
│ │ │
│ │ ├─► EAP-TEAP (Windows 802.1X)
│ │ │
│ │ └─► MDM Dynamic Certs (SCEP/EST)
│ │ └─► ChromeOS EAP-TLS
│ │
│ └─► Kubernetes Secrets Injection
│ └─► k3s Workloads
│
└─► VM Provisioning (Host B)
└─► HA for all servicesPhase 0: Secrets Foundation (PRE-REQUISITE)
YubiKey GPG and gopass v3 migration - foundation for all secrets management.
| Task | Details | Status | Blocks |
|---|---|---|---|
YubiKey GPG Setup |
Master key + subkeys (Sign, Encrypt, Auth) on YubiKey |
[ ] Today |
All gopass ops |
Backup YubiKey |
Duplicate subkeys on second YubiKey, store in safe |
[ ] Today |
DR for secrets |
gopass v3 Store Init |
Domain-aligned structure (d000, d001, personal, keys) |
[ ] Today |
Password migration |
Password Migration |
pass, gopass v2 (ADMINISTRATIO, ARCANA), 1Password → gopass v3 |
[ ] This week |
Consolidation |
Multi-Remote Sync |
GitHub, GitLab, Gitea push |
[ ] After init |
Redundancy |
gopass v3 Target Structure
gopass-v3/
├── domains/
│ ├── d000/ # Home lab
│ │ ├── network/ # pfSense, switches, APs
│ │ ├── infrastructure/ # Vault, ISE, Keycloak, AD
│ │ └── services/ # NAS, Gitea, apps
│ └── d001/ # Work domain (if applicable)
├── personal/
│ ├── financial/ # Banks, investments
│ ├── shopping/ # Amazon, retail
│ ├── social/ # Email, social media
│ └── subscriptions/ # Streaming, SaaS
├── keys/
│ ├── ssh/ # SSH private keys (age-encrypted)
│ ├── api/ # API tokens
│ └── certificates/ # Client certs
└── recovery/
├── luks-headers/ # LUKS header backups
└── 2fa-recovery/ # TOTP recovery codesMigration Sources
| Source | Content | Priority |
|---|---|---|
pass (~/.password-store) |
Legacy passwords |
Medium |
gopass v2 ADMINISTRATIO |
Infrastructure secrets |
High |
gopass v2 ARCANA |
Personal secrets |
High |
1Password |
Export via CLI |
Medium |
Phase 1: Vault Foundation (BLOCKING)
Everything depends on Vault being production-ready.
| Task | Details | Status | Blocks |
|---|---|---|---|
Vault HA Deployment |
vault-02 (.61), vault-03 (.62) on Host B |
[ ] Not started |
All HA |
Raft Cluster Formation |
3-node cluster with auto-unseal |
[ ] Not started |
PKI HA |
Backup Automation |
Raft snapshots to NAS, off-site rotation |
[ ] Not started |
DR |
Policy Hardening |
Least-privilege policies for each role |
[ ] Not started |
Security |
LDAP Auth Backend |
AD integration for human access |
[ ] Not started |
Operations |
AppRole for Automation |
netapi, Ansible, k3s service accounts |
[ ] Not started |
Automation |
Phase 2: Certificate Infrastructure
| Task | Details | Status | Blocks |
|---|---|---|---|
PKI Roles Expansion |
domus-client-windows, domus-client-linux, domus-client-mobile |
[x] Partial |
EAP-TEAP, MDM |
SCEP Endpoint |
Vault SCEP for MDM enrollment (Intune, Jamf) |
[ ] Not started |
ChromeOS, mobile |
EST Endpoint |
RFC 7030 for modern clients |
[ ] Not started |
Future clients |
Short-lived Certs |
24h validity for workstations, auto-renewal |
[ ] Not started |
Security posture |
CRL/OCSP |
Certificate revocation infrastructure |
[ ] Not started |
Compliance |
Phase 3: Linux Workstation Completion
| Task | Details | Status | Blocks |
|---|---|---|---|
srt-9 (Xianming Ding) |
EAP-TLS, dACL, AD join, UFW |
[ ] In progress |
Research deployment |
Cert Auto-Renewal |
certbot-like renewal via Vault API |
[ ] Not started |
Long-term ops |
SSSD Hardening |
Offline cache, ticket renewal tuning |
[x] Done (modestus-aw) |
Template ready |
ISE Posture Integration |
Secure Client + posture assessment |
[ ] DEFERRED |
Phase 5 |
Phase 4: EAP-TEAP (Windows 802.1X)
| Task | Details | Status | Blocks |
|---|---|---|---|
Vault Windows Cert Role |
domus-client-windows with proper EKU |
[ ] Not started |
Windows auth |
TEAP Allowed Protocol |
Domus_TEAP_TLS_TTLS configuration |
[x] Done |
ISE ready |
GPO Cert Enrollment |
Auto-enroll from Vault (or manual deploy) |
[ ] Not started |
Scale |
Test on Work Laptop |
Manual cert install, validate auth |
[ ] Not started |
Proof of concept |
User+Machine Chaining |
TEAP EAP chaining validation |
[ ] Not started |
Full security |
Phase 5: ISE Posture (DEFERRED)
Requires Cisco Secure Client deployed to endpoints.
| Task | Details | Status | Blocks |
|---|---|---|---|
Secure Client Deployment |
Package for Linux/Windows/Mac |
[ ] Not started |
All posture |
Posture Policies |
Firewall enabled, AV running, disk encrypted |
[ ] Not started |
Compliance |
Remediation Actions |
Quarantine VLAN, portal redirect |
[ ] Not started |
Enforcement |
CoA Integration |
Change of Authorization on posture change |
[ ] Not started |
Dynamic response |
Phase 6: MDM Dynamic Certs
| Task | Details | Status | Blocks |
|---|---|---|---|
Intune SCEP Connector |
Vault SCEP → Intune enrollment |
[ ] Not started |
Windows BYOD |
Jamf SCEP Profile |
Vault SCEP → macOS enrollment |
[ ] Not started |
Mac BYOD |
ChromeOS SCEP |
Google Admin → Vault SCEP |
[ ] Not started |
ChromeOS EAP-TLS |
Mobile Device Certs |
iOS/Android via MDM |
[ ] Not started |
Mobile 802.1X |
Phase 7: Kubernetes Integration
| Task | Details | Status | Blocks |
|---|---|---|---|
k3s Deployment |
Master + worker on Host A |
[ ] Not started |
Container platform |
Vault Sidecar Injector |
Secrets injection into pods |
[ ] Not started |
App secrets |
Keycloak OIDC |
k8s API auth via Keycloak |
[ ] Not started |
Human access |
ArgoCD GitOps |
Declarative deployments from Gitea |
[ ] Not started |
CI/CD |
Traefik Ingress |
TLS termination with Vault certs |
[ ] Not started |
External access |
Phase 8: VM Provisioning (Host B)
| VM | IP | Purpose | Status |
|---|---|---|---|
vault-02 |
10.50.1.61 |
Raft follower |
[ ] Not provisioned |
vault-03 |
10.50.1.62 |
Raft follower |
[ ] Not provisioned |
ISE-02 |
10.50.1.21 |
PSN failover |
[ ] Not provisioned |
bind-02 |
10.50.1.91 |
DNS slave |
[ ] Not provisioned |
home-dc02 |
10.50.1.51 |
AD replication |
[ ] Not provisioned |
ipsk-mgr-02 |
10.50.1.31 |
MySQL replication |
[ ] Not provisioned |
NAS-02 |
10.50.1.71 |
Backup target |
[ ] Synology (physical) |
k3s-02 |
10.50.1.121 |
HA master/worker |
[ ] Not provisioned |
Critical Path (Shortest Path to EAP-TEAP)
| Step | Effort | Deliverable |
|---|---|---|
1 |
1 day |
Vault Windows cert role + test issuance |
2 |
2 hours |
Manual cert deploy to work laptop |
3 |
1 hour |
NetworkManager/Windows 802.1X config |
4 |
30 min |
Test EAP-TEAP auth against ISE |
Total |
~1.5 days |
Windows EAP-TEAP working |
What’s Deferred and Why
| Item | Reason | Unblock Condition |
|---|---|---|
ISE Posture |
Requires Secure Client rollout |
Phase 5 after cert infra stable |
MDM SCEP |
Need Intune/Jamf configured |
After Vault SCEP endpoint |
k3s Workloads |
No production apps yet |
After Vault sidecar working |
Host B VMs |
Hardware not racked |
Physical setup required |
Carried Over from Yesterday
Source: Principia/02_Assets/TAB-CAPTURES/index/ops-rolling-engagements.adoc
Critical Deliverables (P0)
srt-9 Linux Workstation - Xianming Ding
Location: SRT 9th Floor / Research / Xianming Ding
| Item | Status | Notes |
|---|---|---|
Certificate chain |
[ ] |
Root CA + Issuing CA + Client cert |
Private key |
[ ] |
Mode 0600, owned by root |
NetworkManager 802.1X |
[ ] |
EAP-TLS, password flags fixed |
EAP-TLS authentication |
[ ] |
MUST be EAP-TLS, NOT MAB |
dACL applied |
[ ] |
DACL_LINUX_RESEARCH_AD_AUTH |
AD connectivity |
[ ] |
kinit, ldapsearch verified |
SSH access |
[ ] |
From admin workstation |
UFW firewall |
[ ] |
Configured and enabled |
Research Segmentation
| Item | Status | Notes |
|---|---|---|
Policy decision |
[x] |
All Research endpoints → Untrusted VLAN (CISO decision) |
VLAN configuration |
[ ] |
Create Research Untrusted VLAN |
ISE policy update |
[ ] |
Authorization rules for Research endpoints |
Endpoint migration |
[ ] |
Move Research devices to new policy |
High Priority (P1)
Spikewell BYOD VPN
| Item | Status | Notes |
|---|---|---|
dACL for SQL access |
[ ] |
Permit SQL traffic to specific servers |
AD group validation |
[ ] |
Verify group membership for VPN access |
Testing |
[ ] |
End-to-end VPN + SQL connectivity |
Strongline Gateway Whitelist
| Item | Status | Notes |
|---|---|---|
MAC address capture |
[ ] |
Collect all Strongline gateway MACs |
Identity Group creation |
[ ] |
ISE endpoint identity group |
Import MACs |
[ ] |
Bulk import to ISE |
Authorization policy |
[ ] |
Create authz rule for Strongline |
iPSK HA with Ben Castillo
| Item | Status | Notes |
|---|---|---|
Expansion planning |
[ ] |
Coordination meeting TBD |
Cleanup tasks |
[ ] |
iPSK infrastructure cleanup |
HA testing |
[ ] |
Failover validation |
Strategic Engagements (P2)
| Engagement | Status | Owner |
|---|---|---|
ChromeOS MS-CHAPv2 → EAP-TLS |
SCEP URL/AD template validation with Victor; Paul testing endpoint behavior |
Victor/Paul |
QRadar → Sentinel Migration |
In progress |
Security Team |
Azure Legacy → Modern Landing Zone |
Planning phase |
Cloud Team |
BMS Legacy Windows Isolation |
Needs quarantine VLAN + server-specific dACL |
Network Team |
Cisco DNAC → Catalyst Center |
dot1x template cleanup |
Network Team |
Isensix AP NAC |
Log capture, onboarding validation |
NAC Team |
NebulaOne Integration |
Pending tasks |
Integration Team |
OCI Cloud Onboarding |
Planning |
Cloud Team |
Operational Issues (Monitor)
| Issue | Workaround/Status | Priority |
|---|---|---|
ISE 30-day Auth Export |
Weekly exports + concatenate; long-term: MnT API bulk pagination |
Medium |
ChromeOS 24-hour session |
Imprivata badge tap workflow validation |
Low |
Wired/Wireless Failover |
ChromeOS network profile testing |
Low |
Session: Architectus Cloudflare Pages Deployment
Accomplishments
Successfully deployed docs.architectus.dev to Cloudflare Pages with full CLI automation:
-
Created Pages project via
netapi cloudflare pages create -
Configured GitHub Actions CI/CD with wrangler
-
Added custom domain with DNS CNAME record
-
Created least-privilege API tokens (separate for CI vs local)
-
Zero dashboard interaction - full programmability achieved
API Token Strategy
| Token | Permissions | Scope |
|---|---|---|
|
Pages:Read, Access:Edit, Cache Purge |
IP-filtered to personal machine |
|
Zone:Zone:Read, Zone:DNS:Edit |
IP-filtered to personal machine |
|
Account:Cloudflare Pages:Edit |
No IP filter (GitHub Actions runners) |
Session: netapi pfSense Feature Extensions
New Commands Added
Extended netapi pfsense module with additional network management features:
| Command | Purpose |
|---|---|
|
List ARP table entries |
|
List DNS host overrides |
|
Add DNS host override |
|
Remove DNS host override |
Usage Examples
# List all DNS overrides
netapi pfsense dns list
# Add new DNS record
netapi pfsense dns add --host vault-02 --domain inside.domusdigitalis.dev --ip 10.50.1.61
# Get ARP table
netapi pfsense arp listSession: Enterprise Infrastructure Architecture Diagrams
Created comprehensive D2 architecture diagrams for infrastructure documentation.
Diagrams Created/Updated
| Diagram | Description | Location |
|---|---|---|
infrastructure-radial-v2 |
Hub-spoke architecture with all infrastructure sectors (Security, PKI, Directory, Wireless, Storage, Compute, Monitoring) |
infra-ops::images/diagrams/ |
k8s-identity-integration |
Zero-trust Kubernetes identity flow: AD → Keycloak → k8s API → Pods ← Vault → ISE |
infra-ops::images/diagrams/ |
infrastructure-ha-complete |
Host A/B HA topology showing all VMs distributed across hypervisors |
infra-ops::images/diagrams/ |
infrastructure-radial-v2.svg
Key features:
-
8 sectors radiating from pfSense core
-
Color-coded by function (Security red, PKI green, Directory cyan, etc.)
-
Gray text for planned/standby nodes
-
Shows all current + planned infrastructure
k8s-identity-integration.svg
Demonstrates how existing infrastructure powers containers:
-
Users → SSO via Keycloak
-
Identity Layer: AD (source of truth) → Keycloak (OIDC broker)
-
Secrets Layer: Vault HA injects secrets into pods
-
Kubernetes Layer: API with OIDC auth, Vault sidecar in pods
-
Network Layer: ISE 802.1X for node authentication
Architecture Decisions Made
| Decision | Choice | Rationale |
|---|---|---|
Load Balancing |
HAProxy (pfSense) + Traefik (k3s) |
NetScaler free tier useless (20 Mbps limit) |
Object Storage |
MinIO (planned) |
S3-compatible, self-hosted |
Monitoring Stack |
Wazuh + Zabbix + Prometheus + Grafana |
Enterprise-grade, vendor-agnostic |
Second KVM Host |
Same subnet (10.50.1.0/24) |
Standard HA practice |
Session: Network Reference Page
Comprehensive IP/DNS/Port Documentation
Transformed ip-addressing.adoc into complete Network Reference page:
-
VLAN allocation table (MGMT 100, DATA 10, VOICE 20, GUEST 30, RESEARCH 40, MONITORING 120)
-
IP range allocation with status (Active/Planned/Reserved)
-
Current allocations for all 15+ IP ranges
-
Service ports organized by category (30+ ports)
-
DNS zones (internal BIND + external Cloudflare)
-
Naming conventions with patterns and examples
-
Hypervisor allocation (Host A/B VM distribution)
Key IP Range Changes
| Range | Purpose | Status |
|---|---|---|
.60-69 |
PKI & Secrets (Vault HA: .60 leader, .61/.62 standby) |
Active |
.73 |
MinIO S3-compatible storage |
Planned |
.110-119 |
Available (formerly NetScaler) |
Reserved |
.120-129 |
k3s Cluster Nodes |
Planned |
.130-139 |
Monitoring Stack (Wazuh, Zabbix, Prometheus, Grafana) |
Planned |
NetScaler Cleanup
-
Deleted
netscaler-load-balancing.adocroadmap -
Removed from nav.adoc
-
Removed from infrastructure-ha-complete.d2
-
Added NOTE: "Load balancing handled by HAProxy (pfSense .1) and Traefik (k3s ingress)"
Session: Cloud at Home Architecture Discussion
Private Cloud Mapping
Your homelab IS a private cloud. Services map directly:
| Category | Your Infrastructure | Cloud Equivalent |
|---|---|---|
Compute |
KVM VMs |
EC2/Azure VMs |
Block Storage |
Synology iSCSI |
EBS/Azure Disk |
File Storage |
Synology NFS |
EFS/Azure Files |
Object Storage |
MinIO (planned) |
S3/Azure Blob |
Identity |
AD + Keycloak + ISE |
IAM/Azure AD/Entra |
Secrets |
Vault HA |
Secrets Manager/Key Vault |
Containers |
k3s |
EKS/AKS |
Network Security |
ISE + pfSense |
Security Groups/NSG |
Monitoring |
Wazuh/Zabbix/Prometheus |
CloudWatch/Azure Monitor |
Skill Transfer
HAProxy/Traefik experience transfers directly to:
-
F5 BIG-IP (pool, virtual server, health monitor = same concepts)
-
Citrix NetScaler/ADC (same architecture, different CLI)
-
AWS ALB/NLB (same fundamentals)
-
Azure Application Gateway
Highlights from Yesterday (2026-02-17)
-
iPSK Policy Fix - MacBook Domus-IoT SSID auth fixed (policy ordering)
-
gopass v3 Architecture - Domain-aligned structure, multi-remote sync
-
Architectus Cloudflare Pages - Full CLI deployment, no dashboard
-
netapi Pages Commands - create, update, delete, domain
-
domus-windows-ops - New repo with certificate management docs
-
WSL SSH Agent Fix - Platform-aware ssh-agent in dotfiles-optimus
-
Cisco Umbrella SSL - CA export PowerShell commands documented
Session: Work Windows CA Chain Import
Goal
Import DOMUS CA chain to work Windows laptop so SAML/internal HTTPS sites work when connected via Domus-IoT/iPSK from home.
CA Chain Location
Already stored in plaintext (not age-encrypted):
~/.secrets/certs/d000/
├── domus-ca-chain.crt # Full chain (root + issuing)
├── domus-root-ca.crt # Root CA only
└── domus-issuing-ca.crt # Issuing CA onlyImport Commands (PowerShell as Admin)
# Git pull secrets repo
cd $env:USERPROFILE\.secrets
git pull
# Import Root CA to Trusted Root store
Import-Certificate -FilePath "$env:USERPROFILE\.secrets\certs\d000\domus-root-ca.crt" `
-CertStoreLocation Cert:\LocalMachine\Root
# Import Issuing CA to Intermediate CA store
Import-Certificate -FilePath "$env:USERPROFILE\.secrets\certs\d000\domus-issuing-ca.crt" `
-CertStoreLocation Cert:\LocalMachine\CAVerification
# Check Root CA imported
Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -match "DOMUS" }
# Check Issuing CA imported
Get-ChildItem Cert:\LocalMachine\CA | Where-Object { $_.Subject -match "DOMUS" }
# Test HTTPS to internal site
Invoke-WebRequest -Uri https://keycloak-01.inside.domusdigitalis.dev:8443 -UseBasicParsingResult
After import, internal HTTPS and SAML authentication work from work Windows laptop connected via iPSK.
Next Step
Full EAP-TEAP client cert for 802.1X (separate session).
Pending: YubiKey GPG Setup
Runbook Location
secrets-infrastructure::runbooks/gopass-v3-yubikey-gpg
Prerequisites Checklist
| Item | Status | Notes |
|---|---|---|
YubiKey 5C NFC (Primary) |
[ ] |
Verify with |
YubiKey 5C NFC (Backup) |
[ ] |
Store in safe after setup |
gnupg installed |
[ ] |
|
yubikey-manager installed |
[ ] |
|
gopass installed |
[ ] |
|
pcscd running |
[ ] |
|
Pending: Learning - Python Crash Course
Book Details
| Property | Value |
|---|---|
Title |
Curso Intensivo de Python (3ra Edicion) |
Author |
Eric Matthes |
Roadmap |
roadmaps/python-crash-course (infra-ops) |
Today’s Goal: Chapter 1 - Empezando (Getting Started)
| Task | Status | Notes |
|---|---|---|
Read Chapter 1 |
[ ] |
Python installation, hello_world.py |
Setup learning repo |
[ ] |
|
Type all code examples |
[ ] |
No copy-paste - build muscle memory |
Complete "Try It Yourself" exercises |
[ ] |
1-1, 1-2, 1-3 |
Commit to git |
[ ] |
Meaningful commit messages |
Summary: Today’s Deliverables
Completed
| Item | Status |
|---|---|
Architectus Cloudflare Pages deployment |
[x] Done (docs.architectus.dev live) |
netapi pfSense DNS/ARP commands |
[x] Done |
Infrastructure radial diagram v2 |
[x] Done (8 sectors, monitoring added) |
k8s identity integration diagram |
[x] Done (zero-trust flow) |
Network Reference page |
[x] Done (VLAN, IP, ports, DNS) |
NetScaler removal (replaced with HAProxy/Traefik) |
[x] Done |
MinIO object storage planning |
[x] Done (added to diagrams/docs) |
Monitoring stack planning |
[x] Done (Wazuh, Zabbix, Prometheus, Grafana) |
Outstanding / Owed
Critical / In-Flight
| Item | Details | Priority |
|---|---|---|
srt-9 Linux Deployment |
Xianming Ding workstation - EAP-TLS, dACL, UFW |
CRITICAL |
Research Segmentation |
All Research endpoints → Untrusted VLAN per CISO decision |
HIGH |
Spikewell BYOD VPN |
dACL for SQL access, AD group membership validation |
HIGH |
Strongline Gateway Whitelist |
MAC address capture → Identity Group import |
HIGH |
iPSK HA with Ben Castillo |
Expansion and cleanup |
Medium |
Next Actions
Immediate (Today)
-
YubiKey GPG setup (gopass v3 initialization)
-
Python Crash Course Chapter 1
-
srt-9 deployment planning
This Week
-
Complete srt-9 deployment (Xianming Ding)
-
Research segmentation policy finalization
-
ChromeOS SCEP validation with Victor
-
Backup YubiKey setup
Key Learnings
Infrastructure Architecture
-
NetScaler not worth it - 20 Mbps free tier is useless. HAProxy + Traefik cover all needs.
-
Second KVM server - Same subnet is standard practice for HA.
-
Skills transfer - HAProxy/Traefik → F5/NetScaler concepts are identical.
-
Private cloud = homelab - Your infrastructure maps 1:1 to AWS/Azure services.
D2 Diagrams
-
Avoid Unicode box-drawing - Characters like
---render poorly in D2. -
Combine overlapping elements - Use
\n\nspacing in single labels. -
White text (#ffffff) - Better visibility for active nodes.
-
Gray text (#a0a0a0) - Visual distinction for planned/standby.
Documentation Links
Diagrams Created
-
infra-ops::images/diagrams/infrastructure-radial-v2.svg
-
infra-ops::images/diagrams/k8s-identity-integration.svg
-
infra-ops::images/diagrams/infrastructure-ha-complete.svg
Pages Updated
-
infra-ops::architecture/ip-addressing (renamed to Network Reference)
-
infra-ops::roadmaps/vault-enterprise-hardening (added diagrams)
Repos Pushed
-
domus-infra-ops (diagrams, Network Reference)
-
netapi (pfSense extensions)
-
architectus-docs (Cloudflare Pages deployment)