WRKLOG-2026-04-09
Summary
Thursday. Manager 1:1 with Sarah Clizer to cover project status.
URGENT - All Domains
Carryover Backlog (CRITICAL)
| Task | Details | Origin | Days | Status |
|---|---|---|---|---|
k3s NAT verification |
NAT rule 170 for 10.42.0.0/16 pod network - test internet connectivity |
2026-03-09 |
34 |
P0 - BLOCKING |
Wazuh indexer recovery |
Restart pod after NAT confirmed working - SIEM visibility blocked |
2026-03-09 |
34 |
P0 - Blocked by k3s |
Strongline Gateway VLAN fix |
8 devices in wrong identity group (David Rukiza assigned) |
2026-03-16 |
27 |
P0 - TODO |
Monad Pipeline Evaluation |
Test pipeline creation, input sources, transforms (LEAD ROLE) |
2026-03-11 |
32 |
P1 - TODO |
Vocera EAP-TLS Supplicant Fix |
~10 phones failing 802.1X, missing supplicant config |
2026-03-12 |
31 |
P1 - TODO |
ISE MnT Messaging Service |
Enable "Use ISE Messaging Service for UDP syslogs delivery" |
2026-03-12 |
31 |
P2 - TODO |
ISE Patch 9 upgrade |
ISE 3.2 Patch 9 addresses known replication issues |
2026-03-12 |
31 |
P2 - TODO |
| Professional backlog remains critical. Check Days column for priorities. |
BLOCKERS — Fix Immediately
| Task | Details | Origin | Days | Impact |
|---|---|---|---|---|
Z Fold 7 Termux |
gopass and SSH not working |
2026-03-10 |
30 |
BLOCKER — Cannot access passwords on mobile |
gopass v3 organization |
Inconsistent structure, poor key-value usage |
2026-03-20 |
20 |
Inefficient password management, no aggregation |
URGENT - Requires Immediate Action
| Item | Details | Deadline | Status | Impact |
|---|---|---|---|---|
Housing Search |
Granada Hills area - apartments/rooms |
TBD |
In Progress |
Quality of life, commute |
URGENT — Performance Review Deadline (June 1, 2026)
| Certification | Provider | Deadline | Status | Impact |
|---|---|---|---|---|
CISSP |
ISC² — Certified Information Systems Security Professional |
June 1, 2026 |
ACTIVE — Phase 0 (Project) |
Required for performance review |
RHCSA 9 |
Red Hat Certified System Administrator |
June 1, 2026 |
ACTIVE — 21-phase curriculum (Project) |
Required for performance review |
| 53 days remaining until June 1st deadline. |
Early Morning - 5:30am
Regex Training (CRITICAL CARRYOVER)
-
Session 3 - Character classes, word boundaries
-
Practice drills from regex-mastery curriculum
-
Status: 7 days carried over - DO THIS TODAY
| Regex training continues to slip. This is the foundation for all CLI mastery. |
Work (CHLA)
| CHARGE TIME IN PEOPLESOFT - CRITICAL. Do this NOW before anything else. |
Critical (P0)
| Project | Description | Owner | Status | Due | Blocker |
|---|---|---|---|---|---|
Linux Research (Xianming Ding) |
EAP-TLS for Linux workstations, dACL, UFW |
Evan |
BEHIND |
02-24 |
Certificate "password required" - nmcli fix documented |
iPSK Manager |
Pre-shared key automation |
Ben Castillo |
BEHIND |
— |
DB replication issues |
MSCHAPv2 Migration |
Legacy auth deprecation |
Evan |
BEHIND |
— |
No progress on planning |
Research Segmentation |
All endpoints to Untrusted VLAN |
Evan |
BLOCKED |
— |
CISO decision pending |
High Priority (P1)
| Project | Description | Owner | Status | Target |
|---|---|---|---|---|
ISE 3.4 Migration |
Upgrade from 3.2p9 |
Evan |
Blocked |
Q1 2026 |
Switch Upgrades |
IOS-XE fleet update (C9300, 3560CX) |
Evan |
Pending |
Q1 2026 |
Spikewell BYOD VPN |
dACL SQL, AD group integration |
Evan |
Active |
— |
Strongline Gateway |
MAC capture, Identity Group setup |
Evan |
Active |
— |
QRadar → Sentinel Migration |
Full SIEM platform transition, Monad evaluation |
Evan |
Active |
Q2 2026 |
Strategic (P2)
| Project | Description | Owner | Status |
|---|---|---|---|
HHS Regulatory Compliance |
New HHS security policies implementation |
TBD |
NOT STARTED |
InfoSec Reporting Dashboard |
PowerBI metrics for executives |
TBD |
NOT STARTED |
EDR Migration (AMP → Defender) |
Endpoint protection consolidation |
TBD |
NOT STARTED |
Azure Legacy Migration |
Modern landing zone |
Team |
In Progress |
ChromeOS EAP-TLS |
SCEP + Victor, Paul testing |
Victor |
In Progress |
Today’s Priorities
-
P0 - CR-2026-04-15: SRT Research VLAN — iTrack submission due Sunday (change window Tue 04/15)
-
P0 - MSCHAPv2 Migration: Run netapi endpoint report + pandas graph for team (URGENT — team meeting)
-
P0 - Enterprise Linux 802.1X: Standardize Shahab/Ding deployment (CISO priority)
-
P0 - Strongline Gateway VLAN fix (27 days - blocking Arin)
-
P0 - k3s NAT verification (34 days - CRITICAL)
-
P1 - Abnormal Security: ESA → API migration (Cisco→Microsoft shift)
-
P1 - DMZ Migration: External services audit behind NetScaler
-
P1 - Sentinel KQL: Build proficiency, distinguish from team
-
P1 - Monad Pipeline Evaluation (32 days - lead role assigned)
-
P1 - Vocera/Wyse iTrack RCA: Complete root cause report
-
P1 - GCC ISE Support: 3/4 nodes restored, PSN-04 deferred (NE-Systems)
-
P1 - Wazuh indexer recovery (34 days - blocked by NAT)
-
P1 - Vocera EAP-TLS Supplicant Fix (31 days)
Service Requests (SR)
| SR# | Request | Requestor | Opened | Status |
|---|---|---|---|---|
3508542 |
Zoll cards connection issue |
TBD |
TBD |
TODO |
3508524 |
Disable dot1x on (2) network ports - 5th floor 3250 Wilshire (PXE-boot imaging issues) |
TBD |
TBD |
Follow-up: Issues persisted after disable - plan to test re-enable |
Incidents (INC)
| INC# | Priority | Description | Opened | SLA | Status |
|---|---|---|---|---|---|
1911859 |
TBD |
Strongline Gateways in Miscellaneous Subnet |
TBD |
TBD |
TODO |
Change Requests - Emergency (ECAB)
| CR# | Description | Opened | Scheduled | Status |
|---|---|---|---|---|
No emergency changes |
Change Requests - Normal
| CR# | Description | Opened | Scheduled | Status |
|---|---|---|---|---|
No normal changes |
Change Requests - Scheduled/Standard
| CR# | Description | Opened | Window | Status |
|---|---|---|---|---|
No scheduled changes |
Change Requests - Root Cause / Post-Incident
| CR# | Description | Related INC | Opened | Status |
|---|---|---|---|---|
100451 |
Vocera Phones and Wyse devices went off network |
TBD |
TBD |
TODO |
Meetings
Manager 1:1 — Sarah Clizer
Time: TBD Agenda: Project status review
Projects to Discuss
| Project | Status | Priority | Notes |
|---|---|---|---|
Mandiant Remediation |
ACTIVE — Q2 assessment |
P0 |
dACL enforcement, posture/ACL remediation, ISE patch |
Linux Research (Xiangming) |
BEHIND (due 02-24) |
P0 |
Certificate "password required" — nmcli flags fix documented |
iPSK Manager HA |
BEHIND |
P0 |
DB replication issues |
MSCHAPv2 Migration |
BEHIND |
P0 |
No progress on planning |
CHLA Antora Setup |
ACTIVE |
P1 |
8-phase Antora documentation deployment |
SIEM Migration |
ACTIVE |
P1 |
QRadar → Microsoft Sentinel — SDK integration |
ISE 3.4 Migration |
Planned |
P1 |
Blocked by P0 items |
ISE Hardware Refresh |
Planned |
P1 |
PSN/MnT lifecycle replacement |
Discussion Points
-
P0 blockers — k3s NAT (31 days), Wazuh indexer (31 days)
-
Mandiant Q2 assessment timeline
-
Resource allocation for MSCHAPv2 migration planning
-
Certification progress (CISSP/RHCSA — 53 days to June 1)
Action Items
To be filled during meeting
Session Accomplishments (Claude Code)
Today’s Session
-
Created comprehensive worklog with full carryover
-
Updated tracker day counts (carryover, blockers, certifications)
-
Manager meeting prep with 8 projects to discuss
Recent Accomplishments (This Week)
| Date | Accomplishment | Evidence |
|---|---|---|
2026-04-07 |
domus-api Phase 1-2 Complete — 43 REST endpoints exposing 2,935 AsciiDoc files, 1,107 partials, 495 examples. FastAPI auto-generates OpenAPI schema. 48/48 pytest tests passing in 0.3s. |
|
2026-04-07 |
ThinkPad P16G Phases 0-8b Complete — Full Arch Linux deployment with encrypted BTRFS, RTX 5090 drivers, stow dotfiles, gopass integration, 27 repos cloned |
|
2026-04-06 |
dots-quantum shell framework — zsh/bash/fish cross-shell config with tmux-quantum integration, fastfetch, modern CLI tooling |
~/atelier/_projects/personal/dots-quantum |
2026-04-05 |
Association Engine v1.0 — Bidirectional knowledge graph (379 keys, 602+ edges) based on Kernighan’s associative arrays. Python CLI with uv packaging. |
~/atelier/_projects/personal/association-engine |
2026-04-03 |
Codex System — 204 production-grade code snippets across 18 domains (bash, python, powershell, networking, containers, git, security, vim, assembly, fastapi) |
docs/modules/ROOT/examples/codex/ |
Growth Systems — Multi-Area Engineering
These systems compound over time, making you better across all technological domains.
Knowledge Infrastructure
| System | What It Does | Scale | Next Action |
|---|---|---|---|
Codex |
Production-grade code snippets organized by domain — indexed arrays, associative arrays, jq patterns, vim macros, AD PowerShell, network troubleshooting |
204 files across 18 domains |
Add pandas/polars patterns, expand Python codex |
Association Engine |
Bidirectional knowledge graph linking projects, skills, infrastructure, and tools. Query: "what requires CISSP?" or "what does Python enable?" |
379 keys, 602+ edges |
Link domus-api endpoints, add certification paths |
Competency Tracker |
100+ microskills across 17 domains with levels (Awareness → Expert), evidence, and gap analysis |
17 domains, 100+ files |
Add AI/ML domain progress, data engineering gaps |
domus-api |
REST API exposing the entire documentation system — every page, partial, example, standard is a JSON endpoint |
43 endpoints |
Phase 3: Ollama RAG, Phase 4: Multi-spoke |
Domains You’re Building Across
| Domain | Codex + Competency Investment | Status |
|---|---|---|
Bash/Shell |
Indexed arrays, associative arrays (440 lines), streams (8 files), jq-sysadmin, command composition |
Production-grade |
Python |
FastAPI (domus-api), uv packaging, CLI patterns, files.adoc, requests.adoc |
Intermediate → Advanced |
PowerShell/AD |
14 AD files (users, groups, GPO, DNS, replication, security, service accounts) |
Production-grade |
Linux Admin |
systemd, disk, files, processes, package-managers, ubuntu-install-encrypted, ss, ip-command |
Advanced |
Networking |
curl, dig, tcpdump, firewall, ssh, diagnostics, nmcli |
Advanced |
Containers |
docker-basics, docker-compose, kubectl, podman |
Intermediate |
Git |
10 files — basics, branches, remotes, history, rewriting, filter-repo, worktrees, stash, tags |
Advanced |
Security |
gopass (6 files), ssh keys, age encryption, CISSP prep (53 days) |
Intermediate → Advanced |
Vim |
10+ files — motions, registers, macros, text-objects, marks, Ex commands |
Advanced |
Assembly/RE |
fundamentals, stack-functions, syscalls-linux, arithmetic-logic, reverse-engineering |
Learning |
IaC |
terraform.adoc, ansible-linux-automation project |
Intermediate |
Data Engineering Growth Path (TO BUILD)
| Technology | Purpose | Status |
|---|---|---|
pandas |
DataFrame manipulation, MSCHAPv2 migration reports, ISE endpoint analysis |
NOT STARTED — need codex entries |
polars |
High-performance alternative to pandas |
NOT STARTED |
DuckDB |
In-process SQL analytics |
Awareness |
jq (advanced) |
Already have jq-sysadmin.adoc, need streaming/groupby patterns |
Intermediate |
SQL |
Need SQLite patterns for local analytics |
Intermediate |
Active Personal Projects
| Project | Description | Next Milestone | Status |
|---|---|---|---|
domus-api |
REST API for documentation system (43 endpoints, FastAPI) |
Phase 3: Ollama RAG integration |
✅ Phase 1-2 Done |
association-engine |
Bidirectional knowledge graph (379 keys, 602+ edges) |
Link to domus-api, certification paths |
✅ v1.0 Done |
netapi / netapi-tui |
Cisco ISE CLI tool (Go rewrite planned) |
Commercialization, Cobra-style args |
Active |
dots-quantum |
Cross-shell framework (zsh/bash/fish + tmux) |
P16g deployment complete |
Active |
domus-nvim |
Neovim configuration |
Stable |
Maintenance |
ollama-local |
Local LLM stack (RTX 5090 on P16g) |
Phase 10 of P16g deployment |
TODO |
tmux-quantum |
Catppuccin-themed tmux config |
Stable |
Done |
instrumentum-nvim |
Neovim plugin experiments |
Low priority |
Deferred |
Personal
In Progress
| Project | Description | Status | Notes |
|---|---|---|---|
k3s Platform |
Production k3s cluster on kvm-01 |
Active |
Prometheus, Grafana, Wazuh deployed |
Wazuh Archives |
Enable archives indexing in Filebeat |
Active |
PVC fix pending |
kvm-02 Hardware |
Supermicro B deployment |
Active |
Hardware ready, RAM upgrade done |
Planned
| Project | Description | Target | Blocked By |
|---|---|---|---|
Vault HA (3-node) |
vault-02, vault-03 on kvm-02 |
Q1 2026 |
kvm-02 deployment |
k3s HA (3-node) |
Control plane HA |
Q1 2026 |
kvm-02 deployment |
ArgoCD GitOps |
k3s GitOps deployment |
After k3s stable |
— |
MinIO S3 |
Object storage for k3s |
After ArgoCD |
— |
Personal asset management (YAML + CLI + AsciiDoc) |
Q2 2026 |
Schema approved |
Active — Infrastructure
| Task | Details | Priority | Status | Due |
|---|---|---|---|---|
Wazuh agent deployment |
Deploy agents to all infrastructure hosts |
P2 |
Pending |
After archives fix |
k3s Platform |
Production k3s cluster on kvm-01 |
P1 |
In Progress |
— |
Wazuh Archives |
Enable archives indexing in Filebeat, PVC fix |
P1 |
In Progress |
— |
kvm-02 Hardware |
Supermicro B deployment, RAM upgrade done |
P1 |
In Progress |
— |
Active — Security & Encryption
| Task | Details | Priority | Status | Due |
|---|---|---|---|---|
Configure 4th YubiKey |
SSH FIDO2 keys |
P1 |
TODO |
— |
Cold storage M-DISC backup |
age-encrypted archives |
P1 |
TODO |
After YubiKey setup |
Active — Development & Tools
| Task | Details | Priority | Status | Due |
|---|---|---|---|---|
netapi Commercialization |
Go CLI rewrite with Cobra-style argument discovery, package for distribution |
P0 |
Active |
— |
Ollama API Service |
FastAPI (17 endpoints), productize — config audit, doc tools, runbook gen |
P0 |
Active |
— |
Shell functions (fe, fec, fef) |
File hunting helpers |
P3 |
TODO |
— |
Active — Documentation
| Task | Details | Priority | Status | Due |
|---|---|---|---|---|
D2 Catppuccin Mocha styling |
domus-* spoke repos (177 files total) |
P3 |
In Progress |
— |
Active — Financial
| Task | Details | Priority | Status | Due |
|---|---|---|---|---|
Amazon order history import |
Download CSV from Privacy Central → parse with awk → populate subscriptions tracker |
P1 |
Waiting |
Pending Amazon data export (requested 2026-04-04) |
Active — Education
| Task | Details | Priority | Status | Due |
|---|---|---|---|---|
No active education tasks — see education trackers |
Active — Personal & Life Admin
| Task | Details | Priority | Status | Due |
|---|---|---|---|---|
ThinkPad T16g Setup |
Arch install, stow dotfiles, Ollama stack, netapi dev env |
P0 |
Pending |
— |
P50 Arch to Ubuntu migration |
P2 |
In Progress |
— |
|
X1 Carbon Ubuntu installs |
2 laptops, LUKS encryption |
P2 |
In Progress |
— |
P50 Steam Test |
Test Flatpak Steam + apt cleanup of broken i386 packages |
P3 |
Pending |
— |
Documentation Sites
-
docs.domusdigitalis.dev - Private documentation hub
-
docs.architectus.dev - Public portfolio site
Education
Claude Code Mastery
| Resource | Details | Progress | Status |
|---|---|---|---|
Claude Code Full Course (4 hrs) |
Nick Saraev - YouTube comprehensive course |
26:49 / 4:00:00 |
IN PROGRESS |
Claude Code Certification |
Anthropic official certification (newly released) |
Not started |
GOAL |
Active Tracks (Focus)
-
Don Quijote - Primera Parte
Skills Mastery (Critical)
-
Regex Mastery - 10-module curriculum
-
AsciiDoc Docs - Documentation format
-
Antora Docs - Documentation pipeline
Certification Deadlines
-
CISSP - Before June 1, 2026 (performance review)
-
RHCSA 9 - Before June 1, 2026 (performance review)
-
LPIC-1 - Renewal required (blocks LPIC-2)
Spanish C1 Certification Goals
| Certification | Provider | Target | Status | Strategy |
|---|---|---|---|---|
Instituto Cervantes / UNAM / Salamanca |
Q2 2026 |
ACTIVE |
Computer-based, faster results - take FIRST |
|
Q3/Q4 2026 |
PLANNED |
After SIELE success, harder exam |
||
2027 |
FUTURE |
Mastery level - requires extensive immersion |
| SIELE is computer-adaptive, results in 3 weeks. DELE is paper-based, results in 3-4 months. Do SIELE first to validate readiness. |
Don Quijote Writing Practice - DELE C1/C2 Initiative
Method:
-
Read chapter in original Spanish
-
Write personal analysis/understanding en espanol
-
AI review for grammar, vocabulary, register
-
Build comprehensive understanding of literary elements
Today’s Study
-
Focus: CISSP study (55 days to June 1), domus-api Phase 3 prep
-
Secondary: RHCSA curriculum, Spanish DELE/SIELE
-
CISSP — begin Phase 0 domain review
-
RHCSA — continue curriculum phase
-
Spanish — Don Quijote reading + analysis
-
domus-api — evaluate Ollama RAG architecture for Phase 3
Regex Training (CRITICAL)
-
Status: 7 days carried over
-
Priority: After PeopleSoft, before Quijote
-
Session: Character classes, word boundaries
Infrastructure
Documentation Sites
| Site | URL | Status | Actions Needed |
|---|---|---|---|
Domus Digitalis |
Active |
Validate, harden, improve |
|
Architectus |
Active |
Public portfolio site - maintain |
HA Deployment Status
| System | Description | Status | Notes |
|---|---|---|---|
VyOS HA |
vyos-01 (kvm-01) + vyos-02 (kvm-02) with VRRP VIP |
✅ COMPLETE |
2026-03-07 - pfSense decommissioned |
BIND DNS HA |
bind-01 (kvm-01) + bind-02 (kvm-02) with AXFR |
✅ COMPLETE |
Zone transfer operational |
Vault HA |
Raft cluster (vault-01/02/03) |
✅ COMPLETE |
Integrated with PKI |
Keycloak Rebuild |
keycloak-01 corrupted, rebuild from scratch |
🔄 NEXT |
Priority P3 - SSO broken |
FreeIPA HA |
ipa-02 replica planned |
📋 PLANNED |
Linux auth redundancy |
AD DC HA |
home-dc02 replication |
📋 PLANNED |
Windows auth redundancy |
iPSK Manager HA |
ipsk-mgr-02 with MySQL replication |
📋 PLANNED |
PSK portal redundancy |
ISE HA |
PAN HA (ise-01 reconfigure) |
⏳ DEFERRED |
Wait until ise-02 stable |
ISE 3.5 Migration |
Upgrade path: 3.2p9 → 3.4 (P1) → 3.5 (target) |
📋 PLANNED |
After 3.4 Migration completes (Q2 2026) |
Single Points of Failure (CRITICAL)
| These systems have NO redundancy - outage impacts production. |
| System | Impact if Down | Mitigation |
|---|---|---|
ISE (ise-02) |
All 802.1X stops - wired and wireless auth fails |
ise-01 reconfiguration deferred until ise-02 stable |
Keycloak (keycloak-01) |
SAML/OIDC SSO broken (ISE admin, Grafana, etc.) |
NEXT PRIORITY - Rebuild runbook |
FreeIPA (ipa-01) |
Linux auth, sudo rules, HBAC fails |
ipa-02 replica planned |
AD DC (home-dc01) |
Windows auth, Kerberos, GPO fails |
home-dc02 replica planned |
iPSK Manager |
Self-service PSK portal unavailable |
ipsk-mgr-02 with MySQL replication planned |
Validation Tasks
| Task | Details | Status |
|---|---|---|
docs.domusdigitalis.dev validation |
Test all cross-references, search, rendering |
TODO |
docs.domusdigitalis.dev hardening |
HTTPS, CSP headers, security review |
TODO |
docs.architectus.dev validation |
Public site content review |
TODO |
Hub-spoke sync verification |
All components building correctly |
Ongoing |
Quick Commands
gopass-personal-docs Usage
\# Interactive entry creation gopass-personal-docs \# Categories: 1) Bills 2) Subscriptions 3) Housing 4) Vehicles 5) Insurance
gopass-query Usage
\# List all recurring bills with totals gopass-query bills \# List storage units with gate codes gopass-query storage \# Export category to JSON gopass-query export bills
API: domus-api — Documentation System REST API
Source: 2026-04-06 — First domus-api session, querying 2,928 .adoc files via REST endpoints
\# Start the API server (localhost:8080, Tailscale accessible)
cd ~/atelier/_projects/personal/domus-api && uv run uvicorn domus_api.main:app --host 0.0.0.0 --port 8080
\# Health check — document counts
curl -s localhost:8080/ | jq
\# Full repository stats by category
curl -s localhost:8080/stats | jq
\# All 20+ standards as JSON
curl -s localhost:8080/standards | jq
\# Standards — extract just ID and title (awk-style with jq)
curl -s localhost:8080/standards | jq -r '.standards[] | "\(.id)\t\(.title)"'
\# Full-text search across all files
curl -s 'localhost:8080/search?q=mandiant' | jq
\# Search — extract just path, title, match count
curl -s 'localhost:8080/search?q=mandiant' | jq '.results[] | {path, title, match_count}'
\# Scoped search (standards only)
curl -s 'localhost:8080/search?q=RFC+2119&scope=standards' | jq
\# Get specific page with full content + metadata
curl -s localhost:8080/pages/standards/operations/change-control | jq
\# List pages filtered by category
curl -s 'localhost:8080/pages?category=standards' | jq
curl -s 'localhost:8080/pages?category=codex&limit=10' | jq
\# All antora.yml attributes (127)
curl -s localhost:8080/attributes | jq
\# Swagger UI (open in browser)
\# http://localhost:8080/docs
\# Kill server on port 8080
kill $(lsof -ti:8080)
API: Incident & Change Record Queries
Source: 2026-04-07 — Querying incidents and CRs via domus-api for work reporting
\# ─── INCIDENT QUERIES ───
\# Get incident title
curl -s localhost:8080/pages/case-studies/incidents/INC-2026-04-06-domus-iot-vpn-connectivity | jq -r '.title'
\# Read incident content as plain text (jq -r unescapes \n)
curl -s localhost:8080/pages/case-studies/incidents/INC-2026-04-06-domus-iot-vpn-connectivity | jq -r '.content' | head -50
\# List all incidents
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("incidents")) | "\(.title)\t\(.path)"'
\# Search incidents by keyword
curl -s 'localhost:8080/search?q=IOT_WAN' | jq -r '.results[] | "\(.title)\t\(.path)"'
\# Search for all VPN-related content
curl -s 'localhost:8080/search?q=GlobalProtect' | jq -r '.results[] | "\(.title)\t\(.path)"'
\# ─── CHANGE RECORD QUERIES ───
\# Get CR title
curl -s localhost:8080/pages/case-studies/changes/CR-2026-04-07-iot-wan-vpn-passthrough | jq -r '.title'
\# Read CR content
curl -s localhost:8080/pages/case-studies/changes/CR-2026-04-07-iot-wan-vpn-passthrough | jq -r '.content' | head -80
\# List all change records
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("changes")) | "\(.title)\t\(.path)"'
\# ─── WORKFLOW: INCIDENT TO CR TRACEABILITY ───
\# Find all documents related to an incident
curl -s 'localhost:8080/search?q=INC-2026-04-06-001' | jq -r '.results[] | "\(.path)"'
\# Find the CR linked to an incident
curl -s 'localhost:8080/search?q=CR-2026-04-07-iot-wan' | jq -r '.results[] | {title, path}'
\# ─── FORMAT FOR REPORTING ───
\# Incident summary as TSV (paste into spreadsheet)
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("incidents")) | [.title, .path] | @tsv'
\# Pipe to column for terminal table
curl -s 'localhost:8080/pages?category=case-studies' | jq -r '.pages[] | select(.path | contains("incidents")) | [.title, .path] | @tsv' | column -t -s $'\t'
\# Export incident as markdown (basic conversion)
curl -s localhost:8080/pages/case-studies/incidents/INC-2026-04-06-domus-iot-vpn-connectivity | jq -r '.content' > /tmp/incident-report.txt
Security: Mandiant Vulnerability Assessment Discovery
Source: 2026-04-06 — Searching domus-captures + Principia for pentest findings, dACLs, and remediation content
\# Search for Mandiant references across domus-captures
grep -ri 'mandiant' docs/modules/ROOT/ | awk 'NR<=30'
\# Find dACL / downloadable ACL content
grep -ri 'dacl\|downloadable.acl' docs/modules/ROOT/ | awk 'NR<=30'
\# Search Principia vault (legacy PKM) for Mandiant data
grep -ri 'mandiant' ~/atelier/_bibliotheca/Principia/ 2>/dev/null | awk 'NR<=30'
\# Find files with security assessment terms in the name
find docs/ -name '*mandiant*' -o -name '*vuln*' -o -name '*dacl*'
\# Find dACL diagram source files
find docs/modules/ROOT/images/diagrams -name 'dacl*'
\# Posture redirect ACL references (the critical finding)
grep -ri 'posture.*redirect\|redirect.*acl\|pre.auth.*acl' docs/modules/ROOT/ | awk 'NR<=20'
\# Cross-repo vulnerability search
grep -ri 'vulnerability.assess\|pentest\|penetration.test' docs/modules/ROOT/pages/2026/ | awk 'NR<=20'
\# Principia asset directory discovery (OPS-* and PRJ-* directories)
find ~/atelier/_bibliotheca/Principia/02_Assets -maxdepth 1 -type d \( -name 'OPS-*' -o -name 'PRJ-*' \)
\# Raspberry Pi OUI detection (from pentest findings)
\# netapi ise mnt --format json sessions | jq -r '.[] | select(.calling_station_id | startswith("B8:27:EB") or startswith("DC:A6:32") or startswith("E4:5F:01")) | [.calling_station_id, .framed_ip_address, .nas_ip_address] | @tsv'
Audio: PipeWire Validation (Post-Reboot)
Source: 2026-04-06 — P16g audio testing after sof-firmware install
\# PipeWire status (replaces pulseaudio pavucontrol for status) wpctl status \# List all audio sinks (short format) pactl list sinks short \# Play audio through default sink (native PipeWire — no alsa-utils needed) pw-play /usr/share/sounds/freedesktop/stereo/bell.oga \# Play through specific sink by ID pw-play --target 65 /usr/share/sounds/freedesktop/stereo/bell.oga \# Kernel audio firmware messages (Intel SOF) journalctl -b --grep='sof|cs35l56|cs42l43' --no-pager | tail -20 \# ALSA sound cards cat /proc/asound/cards
Git: Cross-Repo Activity Audit
Source: 2026-04-06 — Reconstructing daily AI session history across all domus repos
\# All commits on a specific date across all domus repos
for repo in ~/atelier/_bibliotheca/domus-*/ ~/atelier/_projects/personal/domus-*/; do
[ -d "$repo/.git" ] || continue
name=$(basename "$repo")
git -C "$repo" log --since="2026-04-06" --until="2026-04-07" --format="%h %aI %s" 2>/dev/null |
awk -v r="$name" '{print r, $0}'
done
\# Structured commit log as JSON (pipe to jq)
git -C ~/atelier/_bibliotheca/domus-captures log --pretty=format:'{"hash":"%h","date":"%aI","subject":"%s"}' -20 |
jq -s 'sort_by(.date) | reverse'
\# Commits per month (aggregation)
git -C ~/atelier/_bibliotheca/domus-captures log --pretty=format:'{"date":"%aI"}' -100 |
jq -s 'map(.date | split("T")[0] | split("-")[0:2] | join("-")) | group_by(.) | map({month: .[0], count: length}) | sort_by(.month)'
\# Cross-repo search via GitHub API (quote URL for zsh)
gh search code "vault seal" --owner EvanusModestus --json repository,path,textMatches |
jq '.[] | {repo: .repository.full_name, file: .path, match: .textMatches[].fragment}'
\# List .adoc files in a repo via GitHub API
gh api 'repos/EvanusModestus/domus-captures/git/trees/main?recursive=1' |
jq '[.tree[] | select(.path | endswith(".adoc"))] | length'
\# Cross-repo activity dashboard (last 5 per repo)
for repo in domus-captures domus-infra-ops domus-ise-linux domus-netapi-docs domus-secrets-ops; do
git -C ~/atelier/_bibliotheca/$repo log --pretty=format:"{\"repo\":\"$repo\",\"date\":\"%aI\",\"subject\":\"%s\"}" -5 2>/dev/null
done | jq -s 'sort_by(.date) | reverse | .[:15] | .[] | "\(.date | split("T")[0]) [\(.repo)] \(.subject)"' -r
\# Antora attribute comparison across repos
for f in ~/atelier/_bibliotheca/domus-*/docs/asciidoc/antora.yml; do
repo=$(basename "$(dirname "$(dirname "$(dirname "$f")")")")
count=$(yq '.asciidoc.attributes | length // 0' "$f")
printf "%-30s %s attributes\n" "$repo" "$count"
done
Attribute Includes
// Home documents
// ========================================================================
// SHARED ATTRIBUTES -- Home & Personal
// ========================================================================
// Source of truth for personal identity, home infrastructure, and
// document defaults used across daily worklogs and captures.
//
// Usage:
// include::partial$attributes.adoc[]
//
// For work-specific attributes (CHLA), also include:
// include::partial$attributes-work.adoc[]
//
// For HTML status styling, also include:
// include::partial$attributes-styles.adoc[]
//
// Per-document attributes (revdate, document-id, capture-date,
// focus-areas, etc.) remain in each file's header.
// ========================================================================
// ========================================================================
// DOCUMENT DEFAULTS
// ========================================================================
:id: UNSET
:document-id: {id}
// ========================================================================
// AUTHOR & IDENTITY
// ========================================================================
:author-name: Evan Rosado
:author-email-home: evan.rosado@domusdigitalis.dev
:author-email-work: erosado@chla.usc.edu
:author-email-personal: evan.rosado@outlook.com
// ========================================================================
// HOME ENTERPRISE DOMAINS
// ========================================================================
:home-domain: domusdigitalis.dev
:home-domain-internal: inside.domusdigitalis.dev
:home-domain-guest: guest.domusdigitalis.dev
:home-env-name: Home Enterprise ({home-domain})
// ========================================================================
// HOME ENTERPRISE INFRASTRUCTURE
// ========================================================================
// ISE Cluster (Home)
:home-ise-version: 3.3
:home-ise-pan-ip: 10.50.1.21
:home-ise-pan-host: ise-02.inside.domusdigitalis.dev
:home-ise-01-ip: 10.50.1.20
:home-ise-01-host: ise-01.inside.domusdigitalis.dev
:home-ise-02-ip: 10.50.1.21
:home-ise-02-host: ise-02.inside.domusdigitalis.dev
// DNS (BIND)
:home-dns-primary: 10.50.1.90
:home-dns-secondary: 10.50.1.1
:home-bind-ip: 10.50.1.90
:home-bind-host: bind-01.inside.domusdigitalis.dev
// Active Directory
:home-ad-server: HOME-DC01.inside.domusdigitalis.dev
:home-ad-ca: HOME-ROOT-CA
// Network (VyOS replaced pfSense 2026-03-07)
:home-vyos-ip: 10.50.1.2
:home-vyos-host: vyos-01.inside.domusdigitalis.dev
:home-switch-ip: 10.50.1.10
:home-wlc-ip: 10.50.1.40
:home-wlc-host: wlc.inside.domusdigitalis.dev
// Storage
:nas-ip: 10.50.1.70
:nas-name: nas-01
:nas-nfs-path: /volume1/ise_backups
// ========================================================================
// PERSONAL PROJECTS
// ========================================================================
:prj-ipsk-home: PRJ-ISE-IPSK-HOME-ANTORA
:prj-home-linux: PRJ-ISE-HOME-LINUX-ANTORA
:prj-home-lab: PRJ-ISE-HOME-LINUX-ANTORA
:prj-netapi: PRJ-NETAPI-ANTORA
:prj-secrets: PRJ-SECRETS
:prj-recovery: PRJ-RECOVERY
:prj-infra-ops: PRJ-INFRA-OPS-ANTORA
// ========================================================================
// PERSONAL TOOLS
// ========================================================================
:tool-netapi: netapi (Personal ISE automation CLI)
:tool-dsec: dsec (Secrets management)
:tool-ansible: Ansible
:tool-git: Git
// Work documents
// ========================================================================
// SHARED ATTRIBUTES -- Home & Personal
// ========================================================================
// Source of truth for personal identity, home infrastructure, and
// document defaults used across daily worklogs and captures.
//
// Usage:
// include::partial$attributes.adoc[]
//
// For work-specific attributes (CHLA), also include:
// include::partial$attributes-work.adoc[]
//
// For HTML status styling, also include:
// include::partial$attributes-styles.adoc[]
//
// Per-document attributes (revdate, document-id, capture-date,
// focus-areas, etc.) remain in each file's header.
// ========================================================================
// ========================================================================
// DOCUMENT DEFAULTS
// ========================================================================
:id: UNSET
:document-id: {id}
// ========================================================================
// AUTHOR & IDENTITY
// ========================================================================
:author-name: Evan Rosado
:author-email-home: evan.rosado@domusdigitalis.dev
:author-email-work: erosado@chla.usc.edu
:author-email-personal: evan.rosado@outlook.com
// ========================================================================
// HOME ENTERPRISE DOMAINS
// ========================================================================
:home-domain: domusdigitalis.dev
:home-domain-internal: inside.domusdigitalis.dev
:home-domain-guest: guest.domusdigitalis.dev
:home-env-name: Home Enterprise ({home-domain})
// ========================================================================
// HOME ENTERPRISE INFRASTRUCTURE
// ========================================================================
// ISE Cluster (Home)
:home-ise-version: 3.3
:home-ise-pan-ip: 10.50.1.21
:home-ise-pan-host: ise-02.inside.domusdigitalis.dev
:home-ise-01-ip: 10.50.1.20
:home-ise-01-host: ise-01.inside.domusdigitalis.dev
:home-ise-02-ip: 10.50.1.21
:home-ise-02-host: ise-02.inside.domusdigitalis.dev
// DNS (BIND)
:home-dns-primary: 10.50.1.90
:home-dns-secondary: 10.50.1.1
:home-bind-ip: 10.50.1.90
:home-bind-host: bind-01.inside.domusdigitalis.dev
// Active Directory
:home-ad-server: HOME-DC01.inside.domusdigitalis.dev
:home-ad-ca: HOME-ROOT-CA
// Network (VyOS replaced pfSense 2026-03-07)
:home-vyos-ip: 10.50.1.2
:home-vyos-host: vyos-01.inside.domusdigitalis.dev
:home-switch-ip: 10.50.1.10
:home-wlc-ip: 10.50.1.40
:home-wlc-host: wlc.inside.domusdigitalis.dev
// Storage
:nas-ip: 10.50.1.70
:nas-name: nas-01
:nas-nfs-path: /volume1/ise_backups
// ========================================================================
// PERSONAL PROJECTS
// ========================================================================
:prj-ipsk-home: PRJ-ISE-IPSK-HOME-ANTORA
:prj-home-linux: PRJ-ISE-HOME-LINUX-ANTORA
:prj-home-lab: PRJ-ISE-HOME-LINUX-ANTORA
:prj-netapi: PRJ-NETAPI-ANTORA
:prj-secrets: PRJ-SECRETS
:prj-recovery: PRJ-RECOVERY
:prj-infra-ops: PRJ-INFRA-OPS-ANTORA
// ========================================================================
// PERSONAL TOOLS
// ========================================================================
:tool-netapi: netapi (Personal ISE automation CLI)
:tool-dsec: dsec (Secrets management)
:tool-ansible: Ansible
:tool-git: Git
// ========================================================================
// WORK ATTRIBUTES -- CHLA Environment
// ========================================================================
// Contains sensitive work-specific infrastructure, personnel, and project
// attributes. Include only in work-related documents.
//
// Usage:
// include::partial$attributes-work.adoc[]
// ========================================================================
// ========================================================================
// DOMAINS (Work)
// ========================================================================
:domain: chla.usc.edu
:ad-domain: la.ad.chla.org
:krb5-realm: LA.AD.CHLA.ORG
:ise-domain: ise.chla.org
:work-env-name: Enterprise (CHLA)
// ========================================================================
// ISE CLUSTER (CHLA Production)
// ========================================================================
// Primary PAN
:ise-ppan-ip: 10.101.2.121
:ise-ppan-host: ppan.ise.chla.org
// Secondary PAN
:ise-span-ip: 10.101.2.122
:ise-span-host: span.ise.chla.org
:ise-span: {ise-span-host}
// Primary MnT
:ise-pmnt-ip: 10.101.2.123
:ise-pmnt-host: pmnt.ise.chla.org
// Secondary MnT
:ise-smnt-ip: 10.101.2.124
:ise-smnt-host: smnt.ise.chla.org
// Policy Service Nodes -- Building 1
:ise-psn-1-ip: 10.101.2.131
:ise-psn-2-ip: 10.101.2.132
// Policy Service Nodes -- Building 2
:ise-psn-3-ip: 10.248.11.134
:ise-psn-4-ip: 10.248.11.135
:ise-version: 3.2 Patch 6
// ========================================================================
// DNS SERVERS (CHLA)
// ========================================================================
:dns-primary: 10.112.142.41
:dns-secondary: 10.192.142.41
:dns-backup: 10.112.142.42
// ========================================================================
// ACTIVE DIRECTORY DOMAIN CONTROLLERS (CHLA)
// ========================================================================
// Building 1
:ad-dc-1: 10.112.118.141
:ad-dc-2: 10.112.118.143
// Building 2
:ad-pdc: 10.100.11.28
:ad-dc-3: 10.100.11.27
// ========================================================================
// NETWORK INFRASTRUCTURE (CHLA)
// ========================================================================
:nas-research: 10.134.144.109
:remediation-server: remediation.chla.org
// ========================================================================
// PERSONNEL
// ========================================================================
:user-ben: Ben Castillo (SysEng)
:user-shahab: Dr. Shahab Asgharzadeh
:user-shahab-dept: Spatial Biology and Genomics Core (TSRI SBG)
:user-shahab-mac: b4:e9:b8:f6:c8:17
:user-samuel: Samuel John (Database Architect, Digital Dev & Solutions Architecture)
:user-argam: Argam Darbinian (Endpoint Engineer I)
:user-levitt: Dr. Pat Levitt
:user-levitt-email: plevit@chla.usc.edu
:user-carlos: Carlos (InfoSec)
:user-victor: Victor (Cloud/AD)
// Person shorthand
:person-sarah: Sarah Clizer (CISO)
:person-shahab: {user-shahab}
:person-ben: {user-ben}
:person-victor: {user-victor}
:person-carlos: {user-carlos}
// Teams
:team-infosec: Information Security Team
:team-network: Network Engineering Team
:team-endpoint: Endpoint Engineering Team
// ========================================================================
// PROJECTS
// ========================================================================
:prj-ipsk-chla: PRJ-ISE-IPSK-CHLA-ANTORA
:prj-chla-linux: PRJ-ISE-CHLA-LINUX-ANTORA
:prj-sentinel-migration: PRJ-SENTINEL-MIGRATION
:prj-mschapv2-migration: PRJ-MSCHAPV2-TO-EAPTLS
// ========================================================================
// iPSK ATTRIBUTES
// ========================================================================
:ipsk-primary-hostname: ipsk-mgr-01
:ipsk-secondary-hostname: ipsk-mgr-02
:ssid-iot: CHLA_IoT
:policy-set-name: IoT WIFI iPSK
:odbc-source-name: iPSKManager
:mysql-port: 3306
:db-name: ipsk
// ========================================================================
// TOOLS & PLATFORMS (Security Stack)
// ========================================================================
// SIEM & Security Analytics
:tool-qradar: IBM QRadar SIEM (Legacy - migrating from)
:tool-sentinel: Microsoft Sentinel (Target SIEM)
:tool-defender: Microsoft Defender for Endpoint
:tool-xdr: Microsoft Defender XDR
// Threat Intelligence
:tool-abuseipdb: AbuseIPDB
:tool-virustotal: VirusTotal
:tool-urlscan: URLScan.io
:tool-talos: Cisco Talos Intelligence
// Infrastructure & Access
:tool-claroty: Claroty XDome (OT Security)
:tool-umbrella: Cisco Secure Umbrella (DNS Filtering)
:tool-posture: Cisco Secure Client Posture Module
:tool-ise: Cisco Identity Services Engine
:tool-adcs: Active Directory Certificate Services
// Collaboration & Ticketing
:tool-teams: Microsoft Teams
:tool-servicenow: ServiceNow
:tool-slack: Slack
// Development & Automation
:tool-azure-devops: Azure DevOps
// ========================================================================
// PEOPLESOFT TIME TRACKING
// ========================================================================
// Standard Admin Codes (CHLA InfoSec Engineering)
:ps-account: 605010
:ps-fund-code: 1010
:ps-department: 8492000
:ps-pc-unit: PC100
// ----------------------------------------------------------------------------
// Active Projects (Project # | Combo Code | Activity Code)
// Usage: {prj-<name>}, {combo-<name>}, {activity-<name>}
// ----------------------------------------------------------------------------
// EDR Migration (AMP to Defender)
:prj-edr-migration: 000017633
:combo-edr-migration: 000018546
:activity-edr-migration: 21
// Windows 11 Device Hardening
:prj-win11-hardening: 000017706
:combo-win11-hardening: 000018549
:activity-win11-hardening: 21
// iPad Refresh (Spectrum TV App & GetWell SSID)
:prj-ipad-refresh: 000016444
:combo-ipad-refresh: 000018551
:activity-ipad-refresh: 20
// Immunity Lab Move
:prj-immunity-lab: 000017481
:combo-immunity-lab:
:activity-immunity-lab: 21
// Mind DLP Proof of Value
:prj-mind-dlp: 000017956
:combo-mind-dlp: 000018452
:activity-mind-dlp: 21
// iSensix dACL + IoT VLAN Assignment
:prj-isensix-dacl:
:combo-isensix-dacl:
:activity-isensix-dacl: 21
// Cisco Catalyst Center (DNA Center Migration)
:prj-catalyst-center:
:combo-catalyst-center:
:activity-catalyst-center:
// ----------------------------------------------------------------------------
// Activity Hour Baselines (realistic end-to-end effort)
// ----------------------------------------------------------------------------
// Meetings & Collaboration
:hrs-meeting: 1.0
:hrs-stakeholder-meeting: 1.5
:hrs-workshop: 2.0
:hrs-vendor-call: 1.5
:hrs-cab-attendance: 1.0
// ISE / Network Policy
:hrs-ise-policy-mac: 3.0
:hrs-ise-policy-win: 4.5
:hrs-ise-policy-linux: 4.0
:hrs-dacl-design: 3.5
:hrs-authz-profile: 3.0
:hrs-policy-set: 4.0
// Change Management
:hrs-change-request: 3.5
:hrs-cab-prep: 2.0
:hrs-cutover: 4.0
:hrs-rollback-planning: 2.0
// Testing & Validation
:hrs-device-testing: 2.5
:hrs-pilot-validation: 4.0
:hrs-integration-testing: 3.5
// Support & Operations
:hrs-support: 2.0
:hrs-incident-response: 3.0
:hrs-troubleshooting: 2.5
:hrs-post-cutover-support: 2.5
// Discovery & Documentation
:hrs-discovery: 3.0
:hrs-documentation: 2.0
:hrs-architecture-design: 4.0
// ========================================================================
// STYLE ATTRIBUTES -- HTML Status Styling
// ========================================================================
// Contains CSS styling for status indicators and priority markers.
// Only applied when rendering to HTML (backend-html5).
//
// Usage:
// include::partial$attributes-styles.adoc[]
//
// Styling classes:
// .pass, .fail, .pending, .active
// .status-complete, .status-inprogress, .status-blocked, .status-pending, .status-notstarted
// .priority-critical, .priority-high, .priority-normal
// ========================================================================
++++
<style>
.pass { color: #22c55e; font-weight: bold; }
.fail { color: #ef4444; font-weight: bold; }
.pending { color: #f59e0b; font-weight: bold; }
.active { color: #3b82f6; font-weight: bold; }
.status-complete { color: #22c55e; font-weight: bold; }
.status-inprogress { color: #3b82f6; font-weight: bold; }
.status-blocked { color: #ef4444; font-weight: bold; }
.status-pending { color: #f59e0b; font-weight: bold; }
.status-notstarted { color: #94a3b8; font-weight: bold; font-style: italic; }
.priority-critical { background-color: #fef2f2; border-left: 4px solid #ef4444; padding: 0.5em; margin: 0.5em 0; }
.priority-high { background-color: #fef9c3; border-left: 4px solid #f59e0b; padding: 0.5em; margin: 0.5em 0; }
.priority-normal { background-color: #f0f9ff; border-left: 4px solid #3b82f6; padding: 0.5em; margin: 0.5em 0; }
</style>
++++Carryover — Complete Backlog
Work (CHLA) — P0 Critical
| Task | Details | Origin | Days |
|---|---|---|---|
MSCHAPv2 Migration Report |
Run netapi endpoint report + pandas graph — leadership wants auth trends, next migration wave (Chromebooks + Wyse = ~2,000 endpoints) |
2026-04-01 |
8 |
Enterprise Linux 802.1X |
Standardize Shahab/Ding deployment — DACL/VLAN assignment missing, posture not configured (CISO priority) |
2026-04-01 |
8 |
Vocera/Wyse iTrack RCA |
Fill out root cause report — TAC found RabbitMQ CPU spike, no definitive root cause |
2026-04-01 |
8 |
k3s NAT verification |
NAT rule 170 for 10.42.0.0/16 pod network — test internet connectivity (CRITICAL — blocks Wazuh) |
2026-03-09 |
31 |
Wazuh indexer recovery |
Restart pod after NAT confirmed working — SIEM visibility blocked |
2026-03-09 |
31 |
Strongline Gateway VLAN fix |
8 devices in wrong identity group (David Rukiza assigned) |
2026-03-16 |
24 |
Research Segmentation |
Research endpoints remain on trusted network — CISO decision pending |
— |
— |
Linux Research (Xiangming) |
EAP-TLS project BEHIND schedule (due 02-24) — nmcli certificate fix needed |
2026-02-24 |
44 |
iPSK Manager |
Pre-shared key automation stalled — DB replication issues (Ben Castillo) |
— |
— |
Work (CHLA) — P1 Important
| Task | Details | Origin | Days |
|---|---|---|---|
Monad Pipeline Evaluation |
Test pipeline creation, input sources, transforms (LEAD ROLE) — blocker for QRadar → Sentinel |
2026-03-11 |
29 |
Vocera EAP-TLS Supplicant Fix |
~10 phones failing 802.1X, missing supplicant config |
2026-03-12 |
28 |
Microsoft Sentinel KQL proficiency |
Build independent KQL proficiency — differentiate from team |
2026-04-01 |
8 |
Abnormal Security API |
Cisco ESA → Abnormal API migration — understand integration model |
2026-04-01 |
8 |
DMZ Migration |
External services audit behind NetScaler |
2026-04-01 |
8 |
GCC ISE Support |
3/4 nodes restored, PSN-04 deferred (NE-Systems engagement) |
2026-04-01 |
8 |
ISE MnT Messaging Service |
Enable "Use ISE Messaging Service for UDP syslogs delivery" |
2026-03-12 |
28 |
ISE Patch 9 upgrade |
ISE 3.2 Patch 9 addresses known replication issues |
2026-03-12 |
28 |
Verify ISE 3.2 Patch 8 status |
Was Feb 10-12 deployment completed? |
2026-04-06 |
3 |
QRadar → Sentinel Migration Planning |
Log source migration — blocked by Monad ETL |
— |
— |
Personal — P0 Blockers
| Task | Details | Origin | Days |
|---|---|---|---|
Z Fold 7 Termux |
gopass and SSH not working — cannot access passwords on mobile |
2026-03-10 |
30 |
gopass v3 organization |
Inconsistent structure, poor key-value usage |
2026-03-20 |
20 |
Tax preparation |
2025 filing deadline April 15 — documents not gathered |
— |
6 days left |
Housing search |
Granada Hills area apartments — quality of life, commute impact |
— |
— |
Personal — domus-api (2026-04-06)
| Task | Details | Status |
|---|---|---|
Demo domus-api to friends |
|
TODO |
Run validate.sh first |
Confirm 43/43 before demo |
TODO |
Push all repos |
domus-captures, domus-api, dots-quantum |
TODO |
domus-api Phase 3 |
Ollama integration (RAG over documentation) |
NEXT SESSION |
domus-api Phase 4 |
Multi-spoke (add all 15 repos to config) |
NEXT SESSION |
Personal — P16g Deployment (Phases 9-13)
| Task | Details | Status |
|---|---|---|
Phase 9: Multi-remote push |
GitHub + GitLab + Gitea configured |
TODO |
Phase 9: Clone remaining repos |
15 domus-* spoke + project repos |
TODO |
Phase 9: Verify Cloudflare Pages |
Confirm deployments trigger from P16g pushes |
TODO |
Phase 9: aerc email config |
Email configuration validation |
TODO |
Phase 10: Ollama + models |
Install Ollama, pull models |
TODO |
Phase 11: Verification checklists |
System/desktop/dev checklists + btrfs snapshot |
TODO |
Phase 12: UFW firewall |
Firewall rules + SSH hardening |
TODO |
Phase 12: AppArmor Node/Python |
Phase 3 profiles for Node/Python |
TODO |
Phase 13: Borg timer |
Backup automation |
TODO |
Personal — System Maintenance (2026-04-06)
| Task | Command/Details |
|---|---|
nvidia-persistenced |
|
Fallback initramfs on ESP |
Update pacman hook or remove fallback boot entry |
gocryptfs vault mount |
|
bind-tools install |
|
Bluetooth pairing |
Pair Galaxy Buds3 Pro via |
Sync fold7 |
|
Personal — Active Infrastructure
| Task | Details | Priority | Status |
|---|---|---|---|
Wazuh agent deployment |
Deploy agents to all infrastructure hosts |
P2 |
After archives fix |
k3s Platform |
Production k3s cluster on kvm-01 |
P1 |
In Progress |
Wazuh Archives |
Enable archives indexing in Filebeat, PVC fix |
P1 |
In Progress |
kvm-02 Hardware |
Supermicro B deployment, RAM upgrade done |
P1 |
In Progress |
Personal — Active Security
| Task | Details | Priority | Status |
|---|---|---|---|
Configure 4th YubiKey |
SSH FIDO2 keys |
P1 |
TODO |
Cold storage M-DISC backup |
age-encrypted archives |
P1 |
After YubiKey |
Personal — Active Development
| Task | Details | Priority | Status |
|---|---|---|---|
netapi Commercialization |
Go CLI rewrite with Cobra-style arg discovery, package for distribution |
P0 |
Active |
Ollama API Service |
FastAPI (17 endpoints), productize — config audit, doc tools, runbook gen |
P0 |
Active |
Shell functions (fe, fec, fef) |
File hunting helpers |
P3 |
TODO |
Personal — Active Personal
| Task | Details | Priority | Status |
|---|---|---|---|
ThinkPad T16g Setup |
Arch install, stow dotfiles, Ollama stack, netapi dev env |
P0 |
Phases 9-13 remaining |
P50 Arch to Ubuntu migration |
P2 |
In Progress |
|
X1 Carbon Ubuntu installs |
2 laptops, LUKS encryption |
P2 |
In Progress |
P50 Steam Test |
Test Flatpak Steam + apt cleanup of broken i386 packages |
P3 |
Pending |
Personal — Pending (Blocked)
| Task | Details | Blocked By |
|---|---|---|
Vault HA (3-node) |
vault-02, vault-03 on kvm-02 |
kvm-02 deployment |
k3s HA (3-node) |
Control plane HA |
kvm-02 deployment |
ArgoCD GitOps |
k3s GitOps deployment |
k3s stable |
MinIO S3 |
Object storage for k3s |
After ArgoCD |
SanDisk USB offsite rotation |
Backup strategy |
Time |
Windows PC Vault PKI migration |
EAP-TLS certs |
Runbook creation |
OpenClaw evaluation |
Deploy on separate machine (security concerns) |
Needs dedicated VM |
Personal — Deferred
| Task | Details | Revisit |
|---|---|---|
ISE HA |
PAN HA (ise-01 reconfigure) |
After ISE 3.4 migration |
ISE 3.5 Migration |
Upgrade path: 3.2p9 → 3.4 → 3.5 |
Q3 2026 |
Keycloak Rebuild |
keycloak-01 corrupted, rebuild from scratch |
When bandwidth allows |
FreeIPA HA |
ipa-02 replica |
After Vault HA |
AD DC HA |
home-dc02 replication |
After FreeIPA HA |
iPSK Manager HA |
ipsk-mgr-02 with MySQL replication |
After AD HA |
Personal — Projects (2026-04-02)
| Task | Details | Status |
|---|---|---|
Kora CLI |
Initialize Go project (implementation steps documented) |
TODO |
Borg backup script |
Test with Synology NAS |
TODO |
Personal — Infrastructure (2026-04-06)
| Task | Details | Status |
|---|---|---|
VPN incident triage |
INC-2026-04-06: test MTU, NAT masquerade, firewall zones on VyOS |
TODO |
Delete test incident |
|
Resolved 2026-04-07 |
Infrastructure — domus-infra-ops Projects
| Task | Details | Status |
|---|---|---|
k3s HA (3 masters) |
Production cluster HA |
Blocked on kvm-02 |
ArgoCD GitOps |
k3s GitOps deployment |
After HA complete |
iPSK Manager HA |
PostgreSQL replication, HAProxy, Redis session store |
Planned |
Vault PKI Migration |
Workstation role, BYOD role, ISE trust store update |
In Progress |
AD CS Decommission |
Remove CA role from home-dc (target 2026-07) |
Planned |
Education — P0 Critical (53 days to June 1)
| Task | Details | Status |
|---|---|---|
CISSP Phase 0 |
Acquire study materials — 10-domain certification |
NOT STARTED |
RHCSA 9 study |
21-phase curriculum — Ch 1-2/20 complete |
IN PROGRESS |
Claude Code Certification |
Nick Saraev course — 26:49/4hr |
IN PROGRESS |
LPIC-1 Renewal |
Check expiry, register for exam |
RENEW |
SIELE C1 |
Comprension auditiva practice, subjuntivo mastery |
ACTIVE |
Documentation — Pending Tasks
| Task | Details | Status |
|---|---|---|
61 projects need appendices |
Bulk appendix-issues/appendix-todos remediation |
TODO |
RHEL 9 Phase 1 |
KVM VM creation for RHEL 9 workstation project |
TODO |
D2 Catppuccin Mocha styling |
domus-* spoke repos (177 files total) |
In Progress |
Recurring — Don’t Forget
| Task | Context | Frequency |
|---|---|---|
Borg backup verification |
Workstation backups |
Weekly |
SSH cert renewal |
vault-ssh-sign (8h TTL) |
Automated |
Vault unseal check |
After reboots |
As needed |
ISE eval backup restore |
Reset 90-day timer |
Every 90 days |
Subscriptions tracker review |
Audit for cost creep |
Monthly |