RCA-2026-03-09-001: Fix Applied

nmcli con mod "Domus-Wired-EAP-TLS" \
  ipv4.method manual \
  ipv4.addresses "10.50.1.106/24" \
  ipv4.gateway "10.50.1.1" \
  ipv4.dns "10.50.1.90,10.50.1.91"

nmcli con up "Domus-Wired-EAP-TLS"

# Get certificate paths from connection
CERT=$(nmcli -g 802-1x.client-cert con show "Domus-Wired-EAP-TLS")
KEY=$(nmcli -g 802-1x.private-key con show "Domus-Wired-EAP-TLS")
CA=$(nmcli -g 802-1x.ca-cert con show "Domus-Wired-EAP-TLS")

# Certificate expiry check
openssl x509 -in "$CERT" -noout -dates

# Days until expiry (30-day warning)
openssl x509 -in "$CERT" -noout -checkend $((86400*30)) && \
  echo "Valid for 30+ days" || echo "EXPIRES WITHIN 30 DAYS"

# Validate certificate chain
openssl verify -CAfile "$CA" "$CERT"

# Check key matches certificate
openssl x509 -in "$CERT" -noout -modulus | openssl md5
openssl rsa -in "$KEY" -noout -modulus | openssl md5
# Both should output same hash

# Show all IPv4 addresses with interface
ip -4 -o addr show | awk '{print $2, $4}'

# Show default gateway
ip route show default | awk '{print $3}'

# Show route to specific destination
ip route get 10.50.1.1

# ARP table
ip neigh show | awk '{print $1, $5}' | column -t

# Full network status one-liner
echo "IP: $(ip -4 -o addr show enp130s0 | awk '{print $4}')" && \
echo "GW: $(ip route show default | awk '{print $3}')" && \
echo "DNS: $(grep nameserver /etc/resolv.conf | awk '{print $2}' | tr '\n' ' ')"

# Connectivity check
for h in 10.50.1.1 10.50.1.90 8.8.8.8; do
  ping -c1 -W1 $h &>/dev/null && echo "$h: OK" || echo "$h: FAIL"
done

# DNS resolution test (both servers)
for dns in 10.50.1.90 10.50.1.91; do
  echo -n "$dns: "
  dig +short vault-01.inside.domusdigitalis.dev @$dns
done

# Interface errors and drops
ip -s link show enp130s0 | awk '/RX:|TX:|errors/{print}'

# Listen for EAP traffic
sudo tcpdump -i enp130s0 -c 10 'ether proto 0x888e'