WRKLOG-2026-03-02
Summary
Sunday. Major VyOS deployment runbook hardening - added session variables, pre/post validation, and attribute substitution throughout. Created API-first infrastructure plan for netapi vyos implementation. Paused for work focus.
Today’s Priority Tasks
| Priority | Task | Status |
|---|---|---|
P0 |
VyOS runbook hardening (validation, variables) |
[x] DONE |
P0 |
CHLA Linux SSH issue (Xianming Ding) |
[ ] CARRY-OVER |
P1 |
HA Infrastructure - Phase 1/2 (bind-02 or vault) |
[ ] Paused |
P1 |
iPSK Manager - DB replication (prep for work testing) |
[ ] CARRY-OVER |
P1 |
MSCHAPv2 Migration Planning |
[ ] CARRY-OVER |
P2 |
netapi vyos implementation |
[ ] Planned (after VyOS deploy) |
P2 |
RHCSA 9 study - Chapter 2 continuation |
[ ] Pending |
HA Infrastructure Progress
| Phase | Description | Target | Status |
|---|---|---|---|
Phase 0 |
NAS NFS Permissions — kvm-02 access to shared storage |
kvm-02 |
[x] Complete |
Phase 1 |
Vault HA Cluster — vault-01 file→raft migration, vault-02/03 deployment |
kvm-02 |
[ ] Pending |
Phase 2 |
DNS HA — bind-02 secondary with zone transfers from bind-01 |
kvm-02 |
[ ] Pending |
Phase 3 |
VyOS HA — vyos-01 deployed, vyos-02 parallel to pfSense |
kvm-02 |
[x] Complete (DEPLOY-2026-03-07) |
Phase 4 |
Non-Critical VM Migration — ipsk-manager, keycloak-01 |
kvm-02 |
[ ] Pending |
Phase 5 |
Critical Infrastructure — AD HA, ISE HA (future) |
kvm-02 |
[ ] Future |
Reference: See infra-ops component: runbooks/kvm-02-deployment.adoc
Completed Yesterday (2026-03-01)
-
Phase 0: NAS NFS permissions for kvm-02
-
Renamed shares: VMs→vms, ISOs→isos, Backups→backups
-
Added 10.50.1.111 to NFS exports
-
Configured /etc/fstab permanent mounts
-
Created libvirt pools: nas-vms, nas-isos
-
Today’s HA Focus
-
Phase 1: Vault HA (file→raft migration, vault-02/03 deployment)
-
Phase 2: bind-02 secondary DNS deployment
iPSK Manager - Work Testing Prep
Context: Testing iPSK Manager at home before deploying at CHLA.
Tasks:
-
Verify iPSK Manager VM on kvm-01 is operational
-
Test DB replication setup
-
Document test cases for work deployment
Carried Over
Professional (CHLA)
Critical (P0)
| Project | Description | Status | Blocker |
|---|---|---|---|
Mandiant Remediation |
dACL enforcement, posture/ACL remediation, ISE patch |
ACTIVE — Q2 assessment |
|
Linux Research (Xiangming) |
EAP-TLS for Linux workstations |
BEHIND (due 02-24) |
Certificate "password required" — nmcli flags fix documented |
iPSK Manager HA |
Pre-shared key automation — HA deployment |
BEHIND |
DB replication issues |
MSCHAPv2 Migration |
Legacy auth deprecation → EAP-TLS |
BEHIND |
No progress on planning |
High Priority (P1)
| Project | Description | Status |
|---|---|---|
CHLA Antora Setup |
8-phase Antora documentation deployment at work |
ACTIVE (Project) |
SIEM Migration |
QRadar → Microsoft Sentinel — SDK integration |
ACTIVE (Project) |
ISE 3.4 Migration |
Upgrade from 3.2p9 |
Planned — blocked by P0 items |
ISE Hardware Refresh |
PSN/MnT lifecycle replacement |
Planned |
Switch Upgrades |
IOS-XE fleet update |
Pending |
Standard (P2)
| Project | Description | Status |
|---|---|---|
HHS Regulatory Compliance |
New HHS security policies |
NOT STARTED |
InfoSec Reporting Dashboard |
PowerBI metrics for executives |
NOT STARTED |
EDR Migration (AMP → Defender) |
Endpoint protection consolidation |
NOT STARTED |
Azure Legacy Migration |
Modern landing zone |
In progress |
Personal Infrastructure
Recently Completed
| Project | Description | Date |
|---|---|---|
domus-api v0.1.0 |
44-endpoint REST API — multi-spoke, DI, cache invalidation, 55 tests |
2026-04-07 |
IOT_WAN VPN Passthrough |
4 firewall rules applied — IPsec ESP, NAT-T, IKE, TCP 2443 |
2026-04-07 |
VyOS HA Migration |
vyos-01 deployed, replacing pfSense |
2026-03-07 |
C9130AX WiFi6 AP |
Catalyst 9130AX access point deployment |
2026-03-10 |
enterprise-linux-8021x |
Standalone 802.1X EAP-TLS documentation spoke |
2026-02-26 |
CLI Mastery Documentation |
openssl/curl/awk/sed/xargs/pipelines |
2026-02-26 |
Vault SSH CA |
8h certs, 9 hosts configured |
2026-02-21 |
k3s + Prometheus/Grafana |
Monitoring stack on k3s |
2026-02-23 |
In Progress
| Project | Description | Status |
|---|---|---|
ThinkPad P16g Deploy |
Phase 11 verification, Phase 12 security hardening |
|
EVE-NG Lab |
Network simulation lab — 8-phase rollout |
|
RHEL 9 Workstation |
Dr. Shahab’s workstation — 12-phase deployment |
|
kvm-02 Hardware Upgrade |
Supermicro B deployment |
Hardware ready |
Planned
| Project | Description | Blocked By |
|---|---|---|
Vault HA (3-node) |
vault-02, vault-03 on kvm-02 |
kvm-02 deployment |
DNS HA (bind-02) |
Secondary with zone transfers from bind-01 |
kvm-02 deployment |
k3s HA (3-node) |
Control plane HA |
kvm-02 deployment |
Wazuh Agents |
Deploy to all infrastructure hosts |
k3s NAT fix (29 days blocked) |
Cold Storage (M-DISC) |
Offline archival of keys/headers |
Time |
SanDisk USB Offsite |
Third backup drive rotation |
Time |
Learning Tracks
| Track | Description | Status | Resources |
|---|---|---|---|
API Development (FastAPI) |
REST API design, Pydantic, DI, async, testing |
ACTIVE |
domus-api (44 endpoints), API CLI Mastery |
Claude Code + AI Engineering |
Claude Code mastery, hooks, skills, agents |
ACTIVE |
Anthropic docs, Project |
RHCSA 9 (EX200) |
Red Hat system administration — 21-phase curriculum |
ACTIVE |
Sander van Vugt book, Project |
CISSP |
10-domain security certification |
ACTIVE |
|
Spanish (DELE C1/C2) |
Advanced Spanish certification |
ACTIVE |
Connectors reference, essay structure, Don Quijote |
API CLI Mastery |
jq/curl/awk/httpx pipeline composition |
COMPLETE |
Codex — 6-level curriculum |
Terminal Mastery |
awk/sed/jq/xargs/grep/find patterns |
COMPLETE |
|
College Algebra |
Functions, polynomials, exponentials, logarithms |
ACTIVE |
|
Shell Scripting Guide |
Comprehensive shell scripting (23 chapters) |
In progress |
|
Linux Bible 11e |
Linux administration reference |
In progress |
|
D2 Diagrams |
Infrastructure visualization |
Ongoing |
Practice with every runbook |
Biblical Studies |
Study notes and teachings |
In progress |
Private notes |
Ruby Metaprogramming |
DSL for infrastructure generation |
PARKED (P3) |
domus-captures/education/ruby/ |
Session Log
Session 1: VyOS Runbook Hardening + API-First Planning
Time: Morning
Completed:
-
Created API-First Infrastructure Deployment Plan
-
Documented all 14 netapi-supported platforms
-
Identified VyOS as gap - needs
netapi vyosimplementation -
Mapped full network API coverage (ISE, WLC, FMC, Vault, Wazuh, k3s, etc.)
-
Defined success criteria for deployment and automation
-
-
VyOS Deployment Runbook Updates (537 lines added)
-
Added Session Variables section with shell variables
-
Phase 1: Pre-validation (SSH, bridges, disk space) + post-validation (VM running)
-
Phase 2: Pre/post validation for interfaces
-
Phase 3: Firewall groups now use attributes (
{k3s-master-01-ip}, etc.) -
Phase 5 (DHCP): Uses
{bind-ip},{bind-02-ip},{domain} -
Phase 6 (DNS): Uses attributes, added post-validation
-
Phase 17 (BGP): All k3s node IPs use attributes
-
-
k3s Deployment Runbook Updates
-
Added Session Variables section with node matrix reference
-
Added gateway note for pfSense → VyOS transition
-
Fixed escaped
{eth0}in Helm command
-
-
Verified Antora build - no errors
-
Pushed to GitHub:
e175d22(domus-infra-ops) -
Triggered docs rebuild:
f31692b(domus-docs)
Next (when resuming):
-
Deploy vyos-02 VM on kvm-02 (Phase 1)
-
Implement
netapi vyosCLI and vendor client
Notes
Paused session to focus on work tasks. Using WSL/Arch on Windows 11 work computer.