INC-2026-03-16: Prevention

Lessons Learned

Certificate TTL and Daily Workflow

The Vault SSH CA certificate has an 8-hour TTL. This means:

  • Certificate signed at 8pm expires at 4am

  • Morning SSH attempts fail silently with "publickey" rejection

  • Always check certificate validity when SSH fails unexpectedly

Quick diagnostic:

ssh-keygen -L -f ~/.ssh/id_ed25519_vault-cert.pub | grep Valid

vault-ssh-sign Script Needs Updating

The vault-ssh-sign wrapper script hardcodes principals that don’t include the current Termux user (u0_a385).

Current principals in script:

Administrator,domus\Administrator,adminerosado,admin,ansible,evanusmodestus,gabriel,root,u0_a361

Manual workaround (until script is fixed):

vault write -field=signed_key ssh/sign/domus-client \
  public_key=@$HOME/.ssh/id_ed25519_vault.pub \
  valid_principals="evanusmodestus,u0_a385" >| ~/.ssh/id_ed25519_vault-cert.pub

Verify:

ssh-keygen -L -f ~/.ssh/id_ed25519_vault-cert.pub | grep -A5 Principals

Expected output:

        Principals:
                evanusmodestus
                u0_a385
        Critical Options: (none)
        Extensions:
                permit-pty

Common Gotcha: Tilde Expansion in Vault Commands

When using @ file syntax with Vault, ~ does NOT expand:

# WRONG - fails with "no such file or directory"
vault write ... public_key=@~/.ssh/id_ed25519_vault.pub

# CORRECT - use $HOME
vault write ... public_key=@$HOME/.ssh/id_ed25519_vault.pub

Mobile Workflow Use Cases

The Z Fold 7’s large inner screen (7.6") makes terminal work practical on the go.

Regex Training on the Road

Scenario: Waiting at DMV, coffee shop, airport, walking in Medellin…​

# Jump to regex curriculum
regex

# Or open specific session
nvim ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/pages/education/training/regex/session-03-character-classes.adoc

# Practice with grep on sample files
cd ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/examples
grep -E 'pattern' sample.txt

Quick Reference Lookups

# jq patterns
nvim ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/examples/codex/bash/jq-sysadmin.adoc

# awk reference
nvim ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/examples/codex/bash/awk.adoc

# grep patterns
nvim ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/examples/codex/bash/grep.adoc

On-Call Runbook Access

# Quick access to runbooks
cd ~/atelier/_bibliotheca/domus-infra-ops/docs/asciidoc/modules/ROOT/pages/runbooks
ls *.adoc

# View specific runbook
nvim vyos-deployment.adoc
nvim k3s-deployment.adoc

Capture Ideas While Mobile

# Open today's worklog
wrklog

# Add quick note
# (edit in nvim, save, commit later)

Sync Changes

# Pull latest before starting
cd ~/atelier/_bibliotheca/domus-captures && git pull

# Push changes when done
git add -A && git commit -m "mobile: Quick capture" && git push

Keyboard Recommendations

For serious mobile work, pair with:

  • Samsung DeX mode - Desktop-like experience on external display

  • Bluetooth keyboard - Full typing speed

  • Termux:Float - Floating terminal over other apps