WRKLOG-2026-02-21

Summary

Vault Enterprise Hardening roadmap Phase 1-4 completed. Fixed critical PTY allocation issue with SSH certificates. Deployed vault-ssh-sign automation script. Updated captures-hierarchy diagram with animated workflow. Created Trackers section for reusable visual dashboards. Added biblical teachings learning capture from violin lesson.

Evening session: Fixed MathJax LaTeX rendering in Architectus (UI bundle v1.1.0). Created violin theory content (acoustics, technique) and applied mathematics for CS (cryptography, signal processing, complexity, linear algebra). 7 new pages, 1200+ lines.

Vault Enterprise Hardening

Phase 1: Audit Logging

Enabled file audit on vault-01:

sudo mkdir -p /var/log/vault
sudo chown vault:vault /var/log/vault
vault audit enable file file_path=/var/log/vault/audit.log

Phase 2: Policies Verified

All policies already exist:

vault policy list
admin
default
kv-reader
pki-issuer
ssh-client
root

Phase 3: KV Secrets Engine Verified

Namespace structure already created:

vault kv list kv/domus/
automation/
certificates/
infrastructure/

Phase 4: Auth Methods

Created netapi AppRole for PKI automation:

vault write auth/approle/role/netapi \
  token_policies="pki-issuer" \
  token_ttl=1h \
  token_max_ttl=4h \
  secret_id_ttl=0

PTY Allocation Fix

Root Cause

SSH certificates signed with domus-client role had no extensions. The role had allowed_extensions but empty default_extensions.

Broken certificate
ssh-keygen -Lf ~/.ssh/id_ed25519_vault-cert.pub | grep Extensions
        Extensions: (none)

Fix Applied

Updated domus-client role with default_extensions:

vault write ssh/roles/domus-client - <<'EOF'
{
  "key_type": "ca",
  "allow_user_certificates": true,
  "default_user": "evanusmodestus",
  "allowed_users": "evanusmodestus,adminerosado,admin,administrator,domus\\administrator,ansible,root",
  "allowed_extensions": "permit-pty,permit-port-forwarding",
  "default_extensions": {
    "permit-pty": "",
    "permit-port-forwarding": ""
  },
  "ttl": "8h",
  "max_ttl": "24h"
}
EOF

Key Learnings

  • allowed_extensions = what CAN be requested

  • default_extensions = what IS included by default

  • Use <<'EOF' (quoted heredoc) for JSON with backslashes

  • SSH agent caches old certs - must ssh-add -d then ssh-add after re-signing

SSH Cert Renewal Automation

Deployed ~/.local/bin/vault-ssh-sign:

vault-ssh-sign
Output
Enter passphrase for /home/evanusmodestus/.ssh/id_ed25519_vault:
Identity added: /home/evanusmodestus/.ssh/id_ed25519_vault (vault-signed-20260219)
Certificate signed successfully:
        Valid: from 2026-02-21T00:53:42 to 2026-02-21T08:54:12
        Extensions:

Documentation Updates

  • vault-ssh-ca.adoc: Added PTY troubleshooting section, fixed vault-ssh-sign script

  • vault-enterprise-hardening.adoc: Fixed Phase 2 heredoc syntax, updated status indicators

  • CLAUDE.md: Added Vault status table, SSH CA quick commands

k3s Deployment (In Progress)

VM Created

Deployed k3s-master-01 on kvm-01 using Rocky 9 GenericCloud + cloud-init:

sudo cp Rocky-9-GenericCloud-Base.latest.x86_64.qcow2 k3s-master-01.qcow2
sudo qemu-img resize k3s-master-01.qcow2 50G
sudo cloud-localds /var/lib/libvirt/images/k3s-cloud-init.iso /tmp/k3s-cloud-init.yml
sudo virt-install --name k3s-master-01 --memory 4096 --vcpus 2 \
  --disk path=/var/lib/libvirt/images/k3s-master-01.qcow2,format=qcow2 \
  --disk path=/var/lib/libvirt/images/k3s-cloud-init.iso,device=cdrom \
  --os-variant rocky9 --network bridge=virbr0,model=virtio \
  --graphics none --console pty,target_type=serial --import --noautoconsole

Key Learnings

  • Bridge: Use virbr0 not br-mgmt - check existing VMs with virsh dumpxml

  • DNS: pfSense (10.50.1.1) forwarder + bind-01 (10.50.1.90) server - NOT home-dc01

  • cloud-init whitespace: YAML must start at column 0, verify with:

    awk 'NR<=5 {print NR": ["$0"]"}' /tmp/k3s-cloud-init.yml

  • cloud-init first boot: Only runs ONCE. Changed ISO? Recreate VM from fresh qcow2

  • Console password: plain_text_passwd required - SSH keys useless if network fails

Pending

  • Install k3s with SELinux

  • Configure Vault Agent integration

  • Add DNS record for k3s-master-01

Vault SSH CA: Time Sync Issue

Symptom

sshd: error: Refusing certificate ID "...": Certificate invalid: not yet valid

Root Cause

NTP was disabled on kvm-01. Clock was 17 minutes behind workstation.

# kvm-01 showed 09:49 while workstation showed 10:06
systemctl status systemd-timesyncd
# Active: inactive (dead)

Fix

sudo systemctl enable --now systemd-timesyncd
timedatectl show | awk -F= '/NTPSynchronized/{print}'
# NTPSynchronized=yes

Additional Issue: Missing Principals

Cert only had ansible principal but SSHing as evanusmodestus. Re-sign with all principals:

vault write -field=signed_key ssh/sign/domus-client \
  public_key=@$HOME/.ssh/id_ed25519_vault.pub \
  valid_principals="ansible,evanusmodestus,root" \
  >| ~/.ssh/id_ed25519_vault-cert.pub

Prevention

Ensure NTP enabled on ALL infrastructure hosts before Vault SSH CA deployment.

Kroki/D2 Diagram Build Output

Finding Rendered SVGs

Kroki renders D2 sources during make to the build directory, NOT to docs/modules/ROOT/images/:

find build/site -name "*.svg" 2>/dev/null | head -20
Output
build/site/captures/_images/diagrams/captures-hierarchy.svg
build/site/captures/_images/diagrams/ise-distributed-deployment.svg
build/site/captures/_images/diagrams/consulting-model.svg
...

Key Paths

Location Purpose

docs/modules/ROOT/examples/diagrams/*.d2

D2 source files (edit these)

build/site/captures/_images/diagrams/*.svg

Kroki-rendered output (view these after make)

docs/modules/ROOT/images/diagrams/*.svg

Pre-rendered SVGs (manual commits, may be stale)

Manual Render (to commit SVG)

d2 docs/modules/ROOT/examples/diagrams/captures-hierarchy.d2 \
   docs/modules/ROOT/images/diagrams/captures-hierarchy.svg

Captures Hierarchy Diagram Update

Updated captures-hierarchy.d2 with complete document lifecycle:

  • Added _drafts/ intake zone (invisible to Antora)

  • All 9 document prefixes: WRKLOG, MONTH, MTG, PLAN, LRN, DOC, DEPLOY, SETUP, REF

  • Workflow arrows with style.animated: true

  • Nav sections: Drafts (WIP) → Published flow

Fixed Makefile diagrams-d2 target: * DIAGRAM_SRC = examples/diagrams/ (D2 sources) * DIAGRAM_OUT = images/diagrams/ (SVG output)

Trackers Section

Created new Trackers section for reusable visual dashboards:

  • trackers/index.adoc - Overview with design conventions

  • trackers/work-2026-02.adoc - February work tracker with compact/full views

  • Moved work-tracker D2 files to examples/diagrams/

  • Added animated connections to all priority arrows

Biblical Teachings (LRN)

Created LRN-2026-02-21-biblical-teachings.adoc from violin lesson discussion with Grant:

  • Isaiah 11:2 - Seven Spirits of God

  • James 2:17-26 - Faith and Works

  • Isaiah 9:6 - Messianic Prophecy

  • Galatians 5:22-23 - Fruits of the Spirit

  • John 14:16-17 - Holy Spirit as Comforter

Remaining Vault Hardening

Phase Description Status

5

HA Cluster (3-node Raft)

Pending (weekend)

6

Auto-Unseal

Pending

Session: Architectus MathJax + Content Expansion

MathJax Integration

Fixed raw LaTeX rendering on mathematics pages. AsciiDoc’s stem: latexmath outputs LaTeX markup but requires client-side JavaScript to render.

Added MathJax 3 to architectus-antora-ui/src/partials/footer-scripts.hbs:

MathJax = {
  tex: {
    inlineMath: [['\\(', '\\)']],
    displayMath: [['\\[', '\\]']]
  },
  svg: { fontCache: 'global' }
};

Created UI bundle release v1.1.0 and triggered deployment.

Violin Theory Content (architectus-music)

Created comprehensive violin section:

Page Content

violin/index.adoc

Open strings, positions, scales, intervals (just vs equal temperament), bowing mechanics, practice methodology

violin/acoustics.adoc

Wave equation, standing waves, Helmholtz motion, bow dynamics, body resonances, string construction

Added stem: latexmath and violin frequency attributes to music spoke.

Applied Mathematics (architectus-mathematics)

Created 5 pages for CS/technology applications:

Page Content

applied/index.adoc

Overview linking math domains to technology applications

applied/cryptography.adoc

Modular arithmetic, RSA, Diffie-Hellman, elliptic curves, hash functions, AES

applied/signal-processing.adoc

Fourier series/transform, FFT, Nyquist theorem, convolution, digital filters, Z-transform

applied/complexity.adoc

Big-O, P vs NP, master theorem, amortized analysis

applied/linear-algebra.adoc

Vectors, matrices, transformations, eigenvalues, SVD, ML applications

Commits

Repo Commit Lines

architectus-antora-ui

455454b + release v1.1.0

18

architectus-music

4cd4da4

373

architectus-mathematics

bbc6713

835

architectus-docs

94314f9 (trigger rebuild)

0

Key Learning: Hub-and-Spoke Deployment

  • UI bundle changes require GitHub release, not just push

  • Production playbook uses: …​/releases/latest/download/ui-bundle.zip

  • Hub site push triggers deployment pulling latest release

Repertoire Section with ABC Notation

Created repertoire analysis pages with embedded musical notation via Kroki ABC:

Page ABC Notation Added

repertoire/bach-double.adoc

I. Vivace opening, II. Largo canon entry, III. Allegro subject

repertoire/humoresque.adoc

A section main theme, B section contrast (G major transposition)

ABC notation renders to SVG via Kroki—no external dependencies.

Commits

  • architectus-music: f306cbe (83 lines ABC notation)

  • architectus-docs: 6c79114 (deployment trigger)