Weekly Review

Weekly review for Sunday planning. Audit carryover, review ideas, track certifications, verify PeopleSoft.

CRITICAL - Certification Deadlines

URGENT — Performance Review Certifications

Certification Provider Deadline Status Impact

CISSP

ISC² — Certified Information Systems Security Professional

July 12, 2026

ACTIVE — Week 2 of 10 (Project)

Required for performance review. 10-week accelerated plan.

RHCSA 9

Red Hat Certified System Administrator

Q3 2026

ACTIVE — 21-phase curriculum (Project)

After CISSP. Required for performance review.
CISSP: 41 days remaining (exam July 12). Domain 1 study in progress. Schedule exam today (06-01).
These are PERFORMANCE REVIEW requirements. Missing deadline = career impact.

PeopleSoft Time Entry

Are you behind on time entry? Submit biweekly.

Full PeopleSoft Reference

Active Projects — With Codes

Project Code Combo Activity Budget (hrs)

Recognition Kiosk (Poppulo) - IS Labor

000018166

000018623

20

12

Spectrum TV/GetWell iPad Refresh

000016444

000018551

20

Azure Legacy Migration

000018100

000018619

20

Cisco Secure Endpoint Replacement

000017633

000018546

Windows 11 Device Hardening

000017706

000018549

SIEM Migration & Monitoring

Project Code Combo Activity Budget (hrs)

QRadar → Sentinel Migration (LEAD)

Monad Pipeline Evaluation

Sentinel KQL Development

Centralized rsyslog Server

VNC Blocking (due mid-June)

Security & Compliance

Project Code Combo Activity Budget (hrs)

Mandiant Remediation

Abnormal Security (ESA→EOP)

Firewall Audit

Murus Portae (WAF/Segmentation)

DMZ Migration

Research Segmentation

ISE Patch 10 / CVE Remediation

ISE & Network Access

Project Code Combo Activity Budget (hrs)

MSCHAPv2 to EAP-TLS Migration

ISE 3.4 Migration

ISE Hardware Refresh

IPSK Manager HA

Enterprise Linux 802.1X

ISE Annual Cert Renewal

Deployments & Inventory

Project Code Combo Activity Budget (hrs)

BMS Device Inventory

TCP Clocks Deployment

Downtime Computers Enforcement

Tube System Upgrade

Disaster Recovery / Downtime Procedures

Infrastructure & Networking

Project Code Combo Activity Budget (hrs)

ASA VPN Okta to Entra

Linux Research / Server Deployment

Network Diagram Library

Standard Administrative Codes

Field Value Notes

Account

605010

InfoSec Engineering

Fund Code

1010

Department

8492000

PC Unit

PC100

Carryover Audit

Review items carried over too long. Either DO them or REMOVE them.

Work Carryover

Carryover Backlog (CRITICAL)

Task Details Origin Days Status

MSCHAPv2 Migration Report

Report due. 6-sheet Standard Report (exec summary, trend, waves, device detail, stale, policy match). Sheet 6 added 05-14: policy match by protocol for removal planning + anonymous identity validation. Migration window 2026-05-04 to 2026-05-30. ~6,227 devices, 5 waves.

2026-04-17

49

P0 - DUE — run report this week

Abnormal Security — ✅ COMPLETE

CR-2026-05-07-abnormal-read-write. CAB approved 2026-05-12. Implemented successfully 2026-05-13. Read/write enabled for pilot group. Post-deployment validation pending.

2026-05-07

29

✅ IMPLEMENTED — post-validation pending

SIEM QRadar → Sentinel Migration

Lead role. Monad console error RESOLVED 2026-05-12 — secrets configured in CHLA production tenant. ISE secure syslog integration in progress — cert imported, remote logging target configured, streaming errors under investigation. Blocking: DCR not created (Rule ID + Stream Name). Azure private network policy unresolved. Victor + Mauricio action.

2026-04-10

56

P0 - ACTIVE — ISE syslog + DCR blocking

Monad Pipeline Evaluation

Sentinel output connector. Console error resolved. 3 of 6 values configured. Remaining: Endpoint URL (have it), Rule ID + Stream Name (need DCR). ISE Remote Logging Target configured 2026-05-18 — TLS cert imported, secure syslog target created. Streaming errors in Monad console under investigation.

2026-03-11

86

P0 - ACTIVE — ISE integration in progress

Guest Redirect ACL

Guest redirect ACL work needed. Related to Mandiant remediation findings.

2026-05-12

24

P0 - TODO

ISE Patch 10 (CVE-2026-20147 CVSS 9.9)

ISE 3.2 Patch 10. Supersedes Patch 9. 61 days on a CVSS 9.9 — schedule maintenance window. Write CR if needed.

2026-03-12

85

P0 - OVERDUE — schedule immediately

k3s NAT verification

NAT rule 170 for 10.42.0.0/16 pod network - test internet connectivity. 64 days — test this week or defer to Q3.

2026-03-09

88

P0 - BLOCKING — TRIAGE: schedule or defer

Wazuh indexer recovery

Restart pod after NAT confirmed working - SIEM visibility blocked. Blocked by k3s NAT — cannot proceed until above resolved.

2026-03-09

88

P0 - Blocked by k3s

Strongline Gateway VLAN fix

8 devices in wrong identity group (David Rukiza assigned)

2026-03-16

81

P0 - TODO

TCP Clocks deployment

ISE identity group validation, query outputs, comms with team. Active d001 data Apr 22-23.

2026-04-22

44

P0 - ACTIVE

IoT Dr. Kim — recurring

Sleep study devices (Apr 15-16), watches recurrence (Apr 22). 5 incident versions in d001. Validate iPSK enrollment.

2026-04-15

51

P0 - RECURRING

Murus Portae (WAF) — Phase 0

FMC cert expired, ACP returns zero rules. d001: zone map, architecture D2, FMC API reference, ops script.

2026-04-16

50

P0 - INVESTIGATING

Vocera EAP-TLS Supplicant Fix

~10 phones failing 802.1X, missing supplicant config. 61 days — schedule with clinical engineering team.

2026-03-12

85

P1 - TODO — schedule

ISE MnT Messaging Service

Enable "Use ISE Messaging Service for UDP syslogs delivery". 61 days — low risk, schedule with ISE Patch 10 maintenance window.

2026-03-12

85

P2 - BUNDLE with Patch 10

Personal Blockers

BLOCKERS — Fix Immediately

Task Details Origin Days Impact

Z Fold 7 Termux

gopass and SSH not working

2026-03-10

58

BLOCKER — Cannot access passwords on mobile

gopass v3 organization

Inconsistent structure, poor key-value usage

2026-03-20

48

Inefficient password management, no aggregation

Git history scrub — sensitive personal terms

Plaintext references to personal legal matters in committed worklogs (WRKLOG-2026-03-14, WRKLOG-2026-04-18). Forward-fixed but old commits still contain strings. Requires git filter-repo + force-push. See runbook below.

2026-04-22

15

SECURITY — sensitive terms in public git history

Runbook: Git History Scrub (d000 Personal Terms)

Problem: Two committed worklogs contained plaintext references to personal legal matters. The files have been edited (forward-fix), but git history retains the original text in prior commits.

Affected commits: Any commit touching these files:

# Identify affected commits
git log --oneline -- \
  docs/modules/ROOT/pages/2026/03/WRKLOG-2026-03-14.adoc \
  docs/modules/ROOT/pages/2026/04/WRKLOG-2026-04-18.adoc

Scrub procedure:

# 1. BEFORE: Full backup of the repo
cp -a ~/atelier/_bibliotheca/domus-captures ~/atelier/_bibliotheca/domus-captures.bak

# 2. Install git-filter-repo (if not present)
# Arch: pacman -S git-filter-repo
# pip: pip install git-filter-repo

# 3. Create expressions file for replacement
cat > /tmp/scrub-expressions.txt << 'EXPR'
regex:(?i)divorce==[REDACTED]
regex:(?i)dissolutio(?!n\.adoc\.age)==[REDACTED-LEGAL]
regex:(?i)iliana==[REDACTED-NAME]
regex:(?i)angulo-arreola==[REDACTED-NAME]
regex:legal-divorce-notes\.age==legal-notes.age
regex:1099-NEC-iliana==1099-NEC
EXPR

# 4. Verify before (dry run — count matches in history)
git log -p --all -S 'divorce' -- '*.adoc' | grep -c 'divorce' || echo "0 matches"
git log -p --all -S 'iliana' -- '*.adoc' | grep -c 'iliana' || echo "0 matches"

# 5. Run filter-repo (DESTRUCTIVE — rewrites all commit hashes)
git filter-repo --replace-text /tmp/scrub-expressions.txt --force

# 6. Verify after
git log -p --all -S 'divorce' -- '*.adoc' | grep -c 'divorce' || echo "0 matches — CLEAN"
git log -p --all -S 'iliana' -- '*.adoc' | grep -c 'iliana' || echo "0 matches — CLEAN"

# 7. Re-add remotes (filter-repo removes them)
git remote add origin git@github.com:<user>/domus-captures.git
# Add any other remotes (Gitea, etc.)

# 8. Force-push to all remotes (DESTRUCTIVE — overwrites remote history)
git remote | xargs -I{} git push {} main --force

# 9. Clean up
rm /tmp/scrub-expressions.txt
rm -rf ~/atelier/_bibliotheca/domus-captures.bak  # only after verifying

Post-scrub checklist:

  • Backup created before running

  • git filter-repo installed

  • Expressions file reviewed — no false positives (e.g., Don Quijote "Angulo el Malo" is in segunda-parte/texto/texto-011.adoc — the regex targets angulo-arreola specifically to avoid this)

  • Dry-run counts match expectations

  • Filter-repo executed

  • Post-scrub verification shows 0 matches

  • Remotes re-added

  • Force-pushed to all remotes

  • Cloudflare Pages rebuild verified

  • Local clones on other machines re-cloned or git fetch --all && git reset --hard origin/main

  • Backup removed

Ideas Backlog

Review weekly - promote to active or archive.

Ideas — Infrastructure

Inbox

Idea Context Category Captured

BIND secondary DNS

bind-02 for HA (currently SPOF)

infra

2026-03-22

ipa-02 replica

FreeIPA HA (currently SPOF)

infra

2026-03-22

Borg backup dashboard

Visualize backup status across hosts

infra

2026-03-22

Vault HA Cluster

Current Vault is single-node (vault-01). Need 3-node Raft HA cluster for production reliability. Blocked by kvm-02 deployment.

  • vault-01 (10.50.1.60) — existing, leader

  • vault-02 — new, on kvm-02

  • vault-03 — new, on kvm-02

  • Raft storage backend — replicated, no external dependency

  • Auto-unseal via transit or recovery keys

This unblocks: k3s Vault Agent Injector, ArgoCD secrets, certificate auto-renewal at scale. The SPOF risk is real — if vault-01 goes down, SSH certificates stop issuing, PKI breaks, and secrets become inaccessible.

k3s HA Cluster

Current k3s is single control plane. Need 3-node for production:

  • Embedded etcd (3-node quorum)

  • Cilium CNI already deployed — HA-ready

  • MetalLB L2 mode — no changes needed

  • Blocked by: kvm-02 hardware + Vault HA (secrets injection depends on Vault)

Vault Backup to S3

Automated Vault Raft snapshots to MinIO (self-hosted S3). Currently manual snapshots to Synology NAS. Need:

  • MinIO deployed on k3s (depends on k3s HA)

  • Vault cron job for vault operator raft snapshot save

  • Retention policy (7 daily, 4 weekly, 12 monthly)

  • Restore tested and documented

Ideas — Development & Tools

Inbox

Idea Context Category Captured

adoc improvements

Add --watch flag, live reload to domus-asciidoc-build

tooling

2026-03-22

tmux sessionizer

Project-based tmux sessions (like ThePrimeagen)

tooling

2026-03-22

fzf git integrations

Interactive branch switching, log searching

tooling

2026-03-22

gopass v3 → ADMINISTRATIO migration

Script to move remaining entries from old structure

tooling

2026-03-22

netapi Expansion

netapi currently covers ISE (ERS, MnT, DataConnect), pfSense, WLC, Synology, Cloudflare. Three API surfaces are missing and needed:

  • VyOS — replaced pfSense 2026-03-07. Need API integration for config management, firewall rules, VRRP status. VyOS has a REST API on HTTPS.

  • BIND — nsupdate for dynamic DNS, rndc for server control. Critical for infrastructure automation — currently manual.

  • k3s — kubectl wrapper with common patterns (pod status, log tailing, rollout restart). Not a full k8s client — just the operational commands used daily.

Also: batch operations — cross-vendor commands like "backup all configs" or "check all endpoints." This is the glue that makes netapi more than a collection of wrappers.

netapi-tui — Network Operations TUI

Interactive terminal UI for ISE and network infrastructure management. Repo exists (netapi-tui). This is the visual layer on top of netapi — browse endpoints, view sessions, trigger CoA, all from a TUI instead of raw curl.

Could become a differentiator for ISE health check consulting — run it live during an engagement.

domus-cli — Infrastructure Orchestration

SSH-based infrastructure orchestration CLI. Repo exists. The glue between all infrastructure components — run commands across hosts, coordinate deployments, manage the homelab as a fleet.

domus-api — FastAPI Backend

REST API for the domus ecosystem. Repo exists. Could serve: association engine queries, codex search, ISE data proxy, worklog/tracker API for mobile access.

domus-asciidoc-build Enhancements

Standalone build toolchain — validated 2026-04-24. Ideas:

  • --attributes-file flag to auto-load data/shared/attributes.adoc

  • New HTML variants: Dracula, Nord, Solarized, Gruvbox, Tokyo Night

  • Fix Rouge syntax highlighting in royal/dark/light variants (only catppuccin fixed)

  • Interactive features: collapsible sections, search, keyboard navigation

  • --watch mode with live reload

domus-infra-ops Enhancements

296 pages, 529-line antora.yml. The most comprehensive repo. Ideas:

  • Validated Designs need review — 50+ configs, some may be stale post-VyOS migration

  • Runbooks need the partials architecture applied (like we did for data/d001/)

  • ISE runbooks could use the shared prereqs from data/shared/partials/

  • Disaster recovery runbooks — ISE, Vault, k3s, BIND — cross-reference with d001 DR project

  • Ansible playbooks integration — link automation-ops content to infra-ops runbooks

association-engine Expansion

Bidirectional knowledge graph — 379 keys, 602+ edges. Currently YAML-based. Ideas:

  • Web UI for graph visualization (D3.js or Cytoscape)

  • CLI query improvements — traverse depth, path finding

  • Integration with codex entries — auto-link commands to projects

  • Export to D2 diagrams

vim-odyssey

Educational vim game built in Rust. Repo exists. Could become a training product — gamified vim learning. Ties into the training content income stream.

obsidian-asciidoc-viewer

Secure AsciiDoc viewer for Obsidian with native .adoc support, edit mode, diagram rendering. Potential for Obsidian community — plugin marketplace distribution.

instrumentum-nvim

Streamlined Neovim config — the distributable version (separate from domus-nvim personal config). Could be a community project or part of training content.

crypta

Repo exists — purpose unclear. Document or archive.

gopass v3 Restructure

Current gopass structure is inconsistent — some entries use old v2 paths, some use v3 hierarchy. Need to:

  • Audit all entries: gopass ls --flat v3/ | wc -l

  • Apply gopass-personal-docs templates (bills, storage, subscriptions)

  • Add missing queries: gopass-query vehicles, gopass-query insurance, monthly totals

  • Document the structure in domus-secrets-ops

Ideas — Education & Training

Inbox

Idea Context Category Captured

Anki deck from Don Quijote

Extract vocabulary to spaced repetition

language

2026-03-22

DELE C1 mock exams

Practice test structure — timed writing + oral

language

2026-03-22

Ruby metaprogramming deep dive

Tracker exists but unexplored — ties to Puppet/Chef understanding

programming

2026-04-25

TypeScript fundamentals

Tracker exists — needed for Obsidian plugin dev and domus-api frontend

programming

2026-04-25

C/C++ fundamentals

Trackers exist — systems programming foundation for Rust trajectory

programming

2026-04-25

Kernel IPC study

Pages exist under education/kernel/ipc — deepen systems understanding

systems

2026-04-25

CLI Mastery — Curriculum Track

The foundation for everything. Multiple tracks in progress, need consolidation:

  • AWK — tracker exists (awk.adoc). Like regex curriculum — 10 modules, drills. Current level: Intermediate. Need: state machines, multi-file processing, BEGIN/END patterns.

  • sed — tracker exists (sed.adoc). Pattern-based editing mastery. Hold buffer, multiline, in-place with verify-before/after.

  • find — tracker exists (find.adoc). Advanced: -exec sh -c, -print0 | xargs -0, predicate logic, prune.

  • grep — tracker exists (grep.adoc). PCRE lookaheads/lookbehinds, -P patterns.

  • jq — tracker exists (jq.adoc). Path expressions, select, group_by, @csv, reduce.

  • Regex — tracker exists (regex-mastery.adoc, regex-carryover.adoc). Morning carryover item. Foundation for everything.

These should be studied together — each tool reinforces the others. Daily practice: pick one tool, solve one real problem, capture to codex.

Ultimate Linux Shell Scripting Guide

Cloned to ~/atelier/_bibliotheca/community-repos/The-Ultimate-Linux-Shell-Scripting-Guide/. Chapters 6-23. Missing chapters 1-5.

Pairs with the local Bash Reference Manual at /usr/share/doc/bash/bashref.html. Both should be worked through systematically — the guide for practical patterns, the reference for deep understanding.

High priority because CLI mastery compounds into everything: automation, netapi, ISE API work, daily workflow. Two months in, writing interactive loops from memory — next level is state machines, getopts, signal handling, subshell control.

Bash Reference Manual (Local)

/usr/share/doc/bash/bashref.html — already on this machine. The authoritative source. Read section by section, extract patterns to codex. Key sections:

  • Shell Expansions (parameter, command, arithmetic, process substitution)

  • Compound Commands ([[ ]], , for, while, case, select)

  • Shell Builtin Commands (every builtin, what it does, when to use it)

  • Job Control (background, foreground, wait, trap)

  • Bash Variables ($?, $!, $$, $@, $#, BASH_REMATCH)

CISSP Study Activation

Tracker exists at trackers/education/cissp.adoc — 8 domains, all "Not Started." Q3 2026 target is ~2 months away.

Domains 4 (Network), 5 (IAM), 6 (Assessment), 7 (Operations) map directly to CHLA work. Start there.

  • Acquire official study guide + Boson practice exams

  • Create 12-week schedule (1 domain/week + 4 weeks review)

  • Map CHLA experience to each domain for endorsement

  • Daily practice questions (10/day minimum)

RHCSA Certification

Tracker exists (rhcsa.adoc). In progress. Linux administration is daily work — this cert validates it. Complements LPIC-1 (already held) and feeds into LPIC-2.

LPIC-2 Advancement

Tracker exists (lpic-2.adoc). LPIC-1 already held. LPIC-2 covers: capacity planning, kernel, network config, storage, DNS, web servers, file sharing, LDAP, email, security. Directly applicable to homelab infrastructure.

DevNet Associate

Tracker exists (devnet.adoc). Cisco developer certification — Python, APIs, automation. Aligns with netapi development and the automation trajectory at CHLA. The Python + ISE API work you’re doing daily is the study material.

Terraform / IaC

Tracker exists (terraform.adoc). Infrastructure as Code for KVM VMs, Vault config, Cloudflare DNS. Partially implemented in domus-terraform repo. Need to formalize the study track.

Vault / HashiCorp

Tracker exists (vault-hashicorp.adoc). Running Vault HA in production. Deep knowledge exists — need to formalize for potential HashiCorp certification and the PKI consulting income stream.

Python Deepening

Tracker exists (python-fundamentals.adoc). Repo exists (domus-python). Two months into scripting. Current: API integration, DataConnect queries, report generation. Next level: OOP patterns, packaging, testing, type hints. The report.py and qradar-charts.py scripts are the foundation — need to level up from scripts to maintainable tools.

Go CLI Development

Tracker exists (go.adoc). Learn Go via CLI tool development — netapi rewrite target. Cobra-style argument parsing, cross-compilation, single binary distribution. This is the commercialization path for netapi.

Lua / Neovim Plugin Development

Tracker exists (lua.adoc). Plugin development, lazy.nvim patterns. You use nvim daily — understanding Lua unlocks custom tooling. Ties to instrumentum-nvim (distributable config) and domus-nvim (personal config).

Rust

Tracker exists (rust.adoc). Current level: Beginner. vim-odyssey repo exists (Rust game). Long-term investment — systems programming, CLI tools, WASM. Not urgent but compounds over years.

Mathematics

Repo exists (domus-math). Tracker exists (college-algebra.adoc). Mathematics for infrastructure, security, and research computing. Cryptography tracker also exists — PKI work demands understanding of the math underneath.

Languages & Literature

Extensive content exists:

  • Spanish — DELE C1 track (dele-spanish.adoc), SIELE (siele.adoc), writing (spanish-writing.adoc), immersion pages. domus-literature repo.

  • Don Quijote — tracker exists (don-quijote.adoc), full chapter pages in education/literature/quijote/.

  • García Márquez — tracker exists (garcia-marquez.adoc).

  • Scripture — domus-scripture repo. RV1909, KJV, Tanakh. Trackers: la-reina-valera.adoc, tanakh.adoc.

  • Linguistics — tracker exists, pages exist.

  • Latin — current level A2 per skill levels.

Music

  • Violin — tracker exists (violin.adoc). domus-musica repo.

  • Cello — tracker exists (cello.adoc).

Container & Kubernetes Deepening

Tracker exists (containers.adoc, k8s-fundamentals.adoc). Running k3s + Cilium + ArgoCD in homelab. Need to formalize: CKA preparation, Helm chart development, operator patterns. Ties to the k3s HA infrastructure idea.

DNS / BIND Mastery

Tracker exists (dns-bind.adoc). Running BIND in production — split-horizon, DNSSEC, RPZ content filtering. Formalize the knowledge for the infrastructure consulting offering.

Ideas — Documentation

Inbox

Idea Context Category Captured

Antora search fix

Lunr index too large — explore alternatives

docs

2026-03-22

domus-* cross-reference audit

Find and fix broken xrefs across all repos

docs

2026-03-22

Runbook template standardization

Consistent format across all runbooks

docs

2026-03-22

Ideas — Personal & Creative

Inbox

Idea Context Category Captured

LilyPond → PDF pipeline

Automate music notation compilation

music

2026-03-22

age encryption workflow doc

Document full workflow for cold storage

security

2026-03-22

Income Diversification

Full assessment in .drafts/income-streams-assessment-2026-04-24.adoc. 19-repo skill surface analyzed. Four tiers identified:

  • Tier 1 (now): ISE health checks, compliance documentation, pentest remediation consulting

  • Tier 2 (build once): Runbook templates, training content (operational ISE), PKI/secrets consulting

  • Tier 3 (recurring): SIEM migration services, threat hunting playbooks, observability buildouts

  • Tier 4 (longer): Full security architecture consulting, NAC-to-microsegmentation bridge, vCISO

The reframe: security infrastructure architect, not ISE engineer. The 5-10 year NAC transition period is where the consulting money is.

Next step: pick 1 Tier 1 offering and define scope, deliverable, price. ISE health checks are the fastest — remote, half-day, repeatable.

Certification Progress

Renewal Required

Certification Provider Expiry Status Dependency

LPIC-1

Linux Professional Institute

Check expiry

RENEW

Blocks LPIC-2 pursuit

Planned (After Urgent)

Certification Provider Target Status

Claude Code Certification

Anthropic

Q2 2026

IN PROGRESS

LPIC-2

Linux Professional Institute

After LPIC-1 renewal

Blocked

DevNet Associate

Cisco Developer Network

Q3 2026

Draft (Project)

CyberOps Associate

Cisco Security Operations

Q4 2026

Draft (Project)

Language Certifications (Personal Development)

Certification Provider Target Status Notes

SIELE C1

Instituto Cervantes

Q2 2026

ACTIVE

Computer-based, take FIRST

DELE C1

Instituto Cervantes

Q3/Q4 2026

PLANNED

After SIELE validates readiness

Skill Focus: Comprensión auditiva (WEAK), Subjuntivo avanzado, Formal register

Full DELE Study Plan | include::partial$trackers/education/language-certifications.adoc[tag=skills-matrix] available

Weekly Checklist

  • PeopleSoft time submitted for pay period

  • Carryover items reviewed (>7 days = action required)

  • Certifications: Did I study this week?

  • Ideas: Promote 1-2 to active or archive stale

  • Blockers: Any progress? Escalation needed?

Infrastructure Status

HA Deployment Status

System Description Status Notes

VyOS HA

vyos-01 (kvm-01) + vyos-02 (kvm-02) with VRRP VIP

✅ COMPLETE

2026-03-07 - pfSense decommissioned

BIND DNS HA

bind-01 (kvm-01) + bind-02 (kvm-02) with AXFR

✅ COMPLETE

Zone transfer operational

Vault HA

Raft cluster (vault-01/02/03)

✅ COMPLETE

Integrated with PKI

Keycloak Rebuild

keycloak-01 corrupted, rebuild from scratch

🔄 NEXT

Priority P3 - SSO broken

FreeIPA HA

ipa-02 replica planned

📋 PLANNED

Linux auth redundancy

AD DC HA

home-dc02 replication

📋 PLANNED

Windows auth redundancy

iPSK Manager HA

ipsk-mgr-02 with MySQL replication

📋 PLANNED

PSK portal redundancy

ISE HA

PAN HA (ise-01 reconfigure)

⏳ DEFERRED

Wait until ise-02 stable

ISE 3.5 Migration

Upgrade path: 3.2p9 → 3.4 (P1) → 3.5 (target)

📋 PLANNED

After 3.4 Migration completes (Q2 2026)

Single Points of Failure (CRITICAL)

These systems have NO redundancy - outage impacts production.
System Impact if Down Mitigation

ISE (ise-02)

All 802.1X stops - wired and wireless auth fails

ise-01 reconfiguration deferred until ise-02 stable

Keycloak (keycloak-01)

SAML/OIDC SSO broken (ISE admin, Grafana, etc.)

NEXT PRIORITY - Rebuild runbook

FreeIPA (ipa-01)

Linux auth, sudo rules, HBAC fails

ipa-02 replica planned

AD DC (home-dc01)

Windows auth, Kerberos, GPO fails

home-dc02 replica planned

iPSK Manager

Self-service PSK portal unavailable

ipsk-mgr-02 with MySQL replication planned

Related